Incorrect Privilege Assignment Vulnerability in Mendix OIDC SSO Module
Low Risk2.2SSA-726617May 13, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary
The Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role. An adversary could modify the module during Mendix development to exploit incorrect privilege assignment and gain unauthorized access to tokens.
What this means
What could happen
An attacker with development access to a Mendix application could modify the OIDC SSO module to read and write authentication tokens, potentially gaining unauthorized access to systems or data protected by those tokens.
Who's at risk
Organizations using Siemens Mendix low-code development platforms with OIDC SSO modules for authentication should patch immediately. This affects development teams and environments where Mendix is used to build enterprise applications that rely on OIDC authentication.
How it could be exploited
An attacker must first gain access to the Mendix development environment (as a developer or by compromising a developer account). Once in the development environment, they can modify the OIDC SSO module code to bypass token access restrictions and read or write tokens to other accounts or roles.
Prerequisites
- Access to Mendix development environment
- Developer or Administrator role in the Mendix application
- Ability to modify module source code or configuration
Privilege escalation possibleRequires development environment accessLow complexity exploitationAffects authentication systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Mendix OIDC SSO (Mendix 10 compatible)< 4.1.04.1.0
Mendix OIDC SSO (Mendix 10.12 compatible)< 4.0.14.0.1
Mendix OIDC SSO (Mendix 9 compatible)< 3.3.03.3.0
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Mendix OIDC SSO (Mendix 9 compatible)
HOTFIXUpdate Mendix OIDC SSO (Mendix 9 compatible) to version 3.3.0 or later
Mendix OIDC SSO (Mendix 10.12 compatible)
HOTFIXUpdate Mendix OIDC SSO (Mendix 10.12 compatible) to version 4.0.1 or later
Mendix OIDC SSO (Mendix 10 compatible)
HOTFIXUpdate Mendix OIDC SSO (Mendix 10 compatible) to version 4.1.0 or later
Long-term hardening
0/1HARDENINGRestrict development environment access to trusted developers and implement code review processes before module changes are deployed
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ed4182b4-6d88-4384-a8d3-571b227bcb67