Access Check Bypass Vulnerability in Mendix

Monitor5.3SSA-352521Jul 13, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

An incorrect authorization check in Mendix applications allows an attacker with valid user credentials to bypass write permission restrictions on object attributes under certain circumstances. This could enable unauthorized modification of data that should be read-only or inaccessible to that user role. The vulnerability affects Mendix 7 (before 7.23.22), Mendix 8 (before 8.18.7), and Mendix 9 (before 9.3.0).

What this means

What could happen

An attacker with user credentials could modify data attributes they should not have write access to, potentially altering operational parameters, alarms, or control logic in Mendix-based industrial applications. This could affect process monitoring, configuration, or decision-making systems that rely on data integrity.

Who's at risk

Organizations running Mendix-based applications for operational support, data management, or monitoring in water, electric, or manufacturing environments. This affects any application using Mendix 7 (before 7.23.22), Mendix 8 (before 8.18.7), or Mendix 9 (before 9.3.0) where users with limited permissions access sensitive operational data or control parameters.

How it could be exploited

An attacker with valid user credentials logs into a Mendix application and exploits a flaw in the authorization logic to write to object attributes where their permissions should only allow read access or no access. The attacker leverages this bypass to modify operational data outside their assigned role.

Prerequisites

Valid user credentials (login to the Mendix application)
Access to a Mendix application running an affected version
Knowledge of the target attribute names and object structure

Remotely exploitableRequires valid user credentialsAffects data integrity and authorization controlsLow exploit complexity

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 7< V7.23.227.23.22

Mendix Applications using Mendix 8< V8.18.78.18.7

Mendix Applications using Mendix 9< V9.3.09.3.0

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGAudit recent data changes in Mendix applications for unauthorized modifications to critical attributes

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix 7 applications to version 7.23.22 or later

HOTFIXUpdate Mendix 8 applications to version 8.18.7 or later

HOTFIXUpdate Mendix 9 applications to version 9.3.0 or later

HARDENINGReview user permissions and role-based access controls in Mendix applications to ensure proper attribute-level restrictions

CVEs (1)

CVE-2021-33718

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/985d6ce6-61c3-4352-a792-150078ad3ffe