Login Sign Up

CVE-2022-27241

7.5 HIGH

📋 TL;DR

This vulnerability in Mendix applications exposes internal project structure information to unauthenticated remote attackers. It affects Mendix applications built with versions 7 (<7.23.31), 8 (<8.18.18), 9 (<9.11), and specifically version 9.6 (<9.6.12). Attackers can read confidential information without authentication.

💻 Affected Systems

Products:
  • Mendix Applications
Versions: Mendix 7 (<7.23.31), Mendix 8 (<8.18.18), Mendix 9 (<9.11), Mendix 9.6 (<9.6.12)
Operating Systems: All platforms running Mendix applications
Default Config Vulnerable: ⚠️ Yes
Notes: Affects applications built with vulnerable Mendix Studio/Studio Pro versions, not the runtime itself.

📦 What is this software?

Mendix by Mendix

View all CVEs affecting Mendix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of sensitive application data including database credentials, API keys, business logic, and user data leading to data breach and system compromise.

🟠

Likely Case

Exfiltration of configuration files, source code, and sensitive metadata enabling further attacks and intellectual property theft.

🟢

If Mitigated

Limited exposure of non-critical project files with no access to production data or credentials.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No authentication required, simple HTTP requests can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Mendix 7.23.31, Mendix 8.18.18, Mendix 9.11, Mendix 9.6.12

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf

Restart Required: Yes

Instructions:

1. Update Mendix Studio/Studio Pro to patched version. 2. Rebuild and redeploy affected applications. 3. Restart application servers.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to Mendix applications using firewalls or network segmentation

Web Application Firewall

all

Deploy WAF with rules to block requests accessing internal project structure paths

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Mendix applications from untrusted networks
  • Deploy reverse proxy with URL filtering to block access to internal project paths

🔍 How to Verify

Check if Vulnerable:

Check Mendix Studio/Studio Pro version used to build the application against affected versions list

Check Version:

Check Mendix model version in project directory or application metadata

Verify Fix Applied:

Verify application was rebuilt with patched Mendix version and test that internal project structure is no longer accessible

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to internal project paths like /project/, /model/, /deployment/

Network Indicators:

  • Unusual access patterns to application metadata endpoints from external IPs

SIEM Query:

source="web_server" AND (uri_path="/project/*" OR uri_path="/model/*" OR uri_path="/deployment/*")

📊 Metadata

CVE ID: CVE-2022-27241
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: April 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27241, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)