XPath Constraint Vulnerability in Mendix Runtime
Monitor5.9SSA-252808Feb 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Mendix applications contain an improper access control vulnerability in XPath constraint handling that allows attackers to bypass authorization checks and retrieve sensitive information using crafted XPath queries that trigger error messages. The vulnerability affects Mendix 7, 8, and 9 across multiple minor versions. Error responses leak database contents or configuration details that attackers can use to systematically extract data without requiring user authentication or complex attack techniques.
What this means
What could happen
An attacker could bypass access controls in Mendix applications and extract sensitive information from databases by crafting malicious XPath queries that trigger error messages revealing data.
Who's at risk
Organizations running Mendix-based applications for process data management, SCADA front-ends, or analytics platforms. Utilities and water authorities using Mendix for operations monitoring, alarm systems, or historian integration should prioritize patching. Enterprise resource planning (ERP) and manufacturing execution system (MES) modules built on Mendix are at risk of unauthorized data disclosure.
How it could be exploited
An attacker sends specially crafted XPath queries to a Mendix application over the network. Error messages from failed XPath constraint checks leak database contents or configuration data. The attacker iteratively refines queries based on error responses to extract information without authentication.
Prerequisites
- Network access to the Mendix application
- Ability to submit XPath queries (typically via web interface or API endpoint)
- No authentication required
Remotely exploitableNo authentication requiredInformation disclosure (confidentiality impact)Low EPSS score but access control weaknessLow attack complexity workaround available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7< V7.23.347.23.34
Mendix Applications using Mendix 8< V8.18.238.18.23
Mendix Applications using Mendix 9< V9.22.09.22.0
Mendix Applications using Mendix 9 (V9.12)< V9.12.109.12.10
Mendix Applications using Mendix 9 (V9.18)< V9.18.49.18.4
Mendix Applications using Mendix 9 (V9.6)< V9.6.159.6.15
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDRestrict network access to Mendix application endpoints to authorized users only using firewall rules
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
HOTFIXUpdate Mendix 7 applications to version 7.23.34 or later and redeploy
HOTFIXUpdate Mendix 8 applications to version 8.18.23 or later and redeploy
HOTFIXUpdate Mendix 9.6 applications to version 9.6.15 or later and redeploy
HOTFIXUpdate Mendix 9.12 applications to version 9.12.10 or later and redeploy
HOTFIXUpdate Mendix 9.18 applications to version 9.18.4 or later and redeploy
HOTFIXUpdate Mendix 9.22+ applications to version 9.22.0 or later and redeploy
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e2248c23-ed7f-4bf0-bc73-b268ca6534d0