CVE-2026-7891: A vulnerability has been identified in Mendix Runtime (All versions).
A vulnerability has been identified in Mendix Runtime (All versions). Mendix documentation for access rules does not adequately describe the special behavior of the System.User entity, leaving developers without sufficient guidance to configure access rules securely. This documentation gap may lead application developers to unknowingly apply overly permissive access rules to System.User, resulting in unintended exposure of sensitive user data or privilege escalation within deployed Mendix applications.
Security readout for executives and security teams
Plain-English summary
Mendix Runtime applications may be put at risk because access-rule documentation did not clearly explain special behavior for the System.User entity. Developers could unintentionally allow broad access to user data or privilege-related functions. The risk is serious, but exposure depends on how each Mendix application was configured.
Executive priority
Treat this as urgent configuration risk, not just a software version issue. Assign application owners to review Mendix authorization immediately, especially for customer-facing or workforce identity-related apps. No confirmed active exploitation is cited in the provided sources.
Technical view
CVE-2026-7891 affects Mendix Runtime, described as all versions. It is classified as CWE-277 with CVSS 3.1 score 9.1. The issue is a documentation gap around System.User access rules that can lead to overly permissive application-level authorization, causing confidentiality and integrity impact.
Likely exposure
Organizations running Mendix applications are potentially exposed if their apps define permissive access rules for System.User. Internet-facing apps and apps containing sensitive user profiles, account data, or administrative workflows should be prioritized. The exact exposure is application-specific and cannot be determined from version alone.
Exploitation context
The CVSS vector indicates remote, low-complexity, unauthenticated exploitation without user interaction. However, the provided sources do not state active exploitation, and CISA KEV is false. Practical exploitability depends on whether a deployed Mendix app contains the risky access-rule configuration.
Researcher notes
This appears configuration-dependent and rooted in documentation clarity around System.User behavior. The CVE says all Mendix Runtime versions are affected, but real impact requires checking each app’s access rules. The provided bundle does not include detailed patch information.
Mitigation direction
Review Siemens SSA-814963 and DIVD Mendix guidance for current remediation direction.
Audit all Mendix apps for access rules involving System.User.
Restrict System.User access to least privilege for each application role.
Prioritize internet-facing apps and apps containing sensitive user data.
If vendor guidance changes, follow Siemens and DIVD instructions promptly.
Validation and detection
Inventory deployed Mendix Runtime applications and owners.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-277: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-277 · source CWE mapping
Insecure Inherited Permissions
Insecure Inherited Permissions represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.