SSA-814963 V1.0: Insecure Inherited Permission in Mendix
Risk Summary
<p>Mendix documentation for access rules does not adequately describe the special behavior of the System.User entity, leaving developers without sufficient guidance to configure access rules securely. This documentation gap may lead application developers to unknowingly apply overly permissive access rules to System.User, resulting in unintended exposure of sensitive user data or privilege escalation within deployed Mendix applications.</p> <p>A common misconfiguration identified is with the anonymous user role with a System.User entity to gain access to all stored records, even though no access rights are explicitly configured on that role.</p> <p>Siemens recommends Mendix developers to review their access rules based on <a href="https://docs.mendix.com/refguide/access-rules/">updated documentation</a>.</p>
Remediations
- Refer to Siemens ProductCERT advisory for patch and remediation guidance.
Affected Vendors
Affected Products (1)
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more