Entity Enumeration Vulnerability in Mendix Runtime
Monitor5.3SSA-874353Apr 8, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Mendix Runtime allows entity enumeration through distinguishable responses in client actions. An unauthenticated remote attacker can enumerate valid entities and attribute names in a Mendix Runtime-based application by analyzing response patterns to infer the data model structure.
What this means
What could happen
An attacker could discover your application's complete data model (entity and attribute names) without authentication, enabling them to craft targeted attacks against known data structures or identify sensitive information fields.
Who's at risk
Siemens Mendix Runtime-based applications. This affects any organization using Mendix as a low-code development platform for business applications, web portals, or internal tools. Particularly relevant if your applications handle sensitive configuration data or process information that should not be discoverable.
How it could be exploited
An attacker sends client actions to the Mendix Runtime and observes response patterns. Different responses for valid vs. invalid entity names allow the attacker to systematically enumerate all entities and their attributes without needing login credentials.
Prerequisites
- Network access to the Mendix Runtime application endpoint
- No authentication required
remotely exploitableno authentication requiredlow complexityinformation disclosure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
Mendix Runtime V8< V8.18.358.18.35
Mendix Runtime V9< V9.24.349.24.34
Mendix Runtime V10.6< V10.6.2210.6.22
Mendix Runtime V10.12< V10.12.1610.12.16
Mendix Runtime V10.18< V10.18.510.18.5
Mendix Runtime V10< V10.21.010.21.0
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Mendix Runtime V8
HOTFIXUpdate Mendix Runtime V8 to version 8.18.35 or later
Mendix Runtime V9
HOTFIXUpdate Mendix Runtime V9 to version 9.24.34 or later
Mendix Runtime V10.6
HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.22 or later
Mendix Runtime V10.12
HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.16 or later
Mendix Runtime V10.18
HOTFIXUpdate Mendix Runtime V10.18 to version 10.18.5 or later
Mendix Runtime V10
HOTFIXUpdate Mendix Runtime V10 (main line) to version 10.21.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e35e1997-2f58-4b8f-9c6d-a21ab8c655bb