Siemens is aware of the blog post published by DIVD [1] that made a public disclosure of authorization misconfiguration in customer-owned applications built on the Mendix platform. Organizations running Mendix applications are strongly advised to immediately review their authorization configurations and assess whether any data exposure has occurred.

The identified issue is not a vulnerability in the Mendix platform itself, but rather the result of incorrect application-level authorization configurations by application owners and developers. Affected applications may expose sensitive data to anonymous or insufficiently restricted users without requiring any software exploit.

The reported findings describe a security misconfiguration observed across multiple Mendix applications, where data sources (entities) are accessible to anonymous users or newly registered users due to overly permissive authorization settings.

This is an application-level configuration issue, not a vulnerability in the Mendix platform. It can occur in any Mendix application — regardless of version or hosting environment — where authorization has not been correctly designed and enforced.

Common root causes include:

• Entity access rules that are too permissive
• Incorrect module role mappings and user role assignments
• Missing or overly broad XPath constraints
• Excessive permissions granted to anonymous or newly registered users

This issue is not limited to a specific Mendix version or hosting environment. It may affect:

• Mendix Cloud hosted applications
• On-premise Mendix installations
• Internet-facing portals built on Mendix

No software exploit is required to misuse a misconfigured application. Anonymous access or a basic user account may be sufficient to retrieve data through normal Mendix runtime requests (e.g., /xas).

This makes potential abuse:

• Easy to execute — no technical exploitation required
• Hard to detect — requests appear as normal application traffic
• Scalable — the same approach can be applied across many misconfigured applications

Depending on the data exposed by a misconfigured application, the potential impact includes:

• Unauthorized access to sensitive personal data (names, contact details, addresses, internal records, documents, ID images)
• Risk of fraud and phishing using exposed data
• Reputational damage to the affected organization
• GDPR/AVG compliance risk, including potential obligation to notify relevant data protection authorities and affected individuals of a data breach

Siemens strongly urges all Mendix application owners and developers to immediately review their application authorization configurations. For detailed guidance, refer to the Mendix Security Guidance [2].

• Review entity access rules for all entities
• Review module role mappings and user role assignments
• Validate XPath constraints and data visibility rules
• Review permissions granted to the Anonymous user
• Review permissions of newly registered and default users
• Disable anonymous access unless strictly necessary
• Review published REST services and microflows for proper authorization enforcement

• Restrict access immediately
• Review available application logs for signs of unauthorized access
• Assess whether a data breach notification is required under GDPR or other applicable regulations
• Consult your legal and compliance teams

• Perform a dedicated security review and/or penetration test focused on authorization and data exposure
• Consider upgrading to a supported Mendix version (e.g., Mendix 10 LTS or Mendix 11 MTS) where applicable
• For applications running on Mendix 10.19 or later, or Mendix 11, consider enabling Strict Mode [3], which restricts direct data retrieval through the Mendix Client API (/xas), effectively removing a key vector for this type of misconfiguration. Note that enabling Strict Mode requires a migration process and not all widgets are currently supported — careful evaluation is advised before enabling this in production environments.

• Mendix Data Storage and Entity Access
• Mendix Role-Based Access Control
• [1] Mendix applications: unintended data exposure due to authorization misconfiguration
• [2] Mendix Security Guidance
• [3] Mendix Strict Mode