cbcvebase.
CVE-2022-26314
published 2022-03-08

CVE-2022-26314: A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
69.8th percentile
A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.

Affected

4 ranges
VendorProductVersion rangeFixed in
mendixforgot_password< 3.2.23.2.2
mendixforgot_password>= 3.3.0 < 3.5.13.5.1
siemensmendix_forgot_password_appstore_module
siemensmendix_forgot_password_appstore_module

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-26314 involves insecure initial password generation in the Mendix Forgot Password Appstore module, enabling unauthenticated remote brute force of passwords. Monitor for excessive authentication attempts against Mendix application login endpoints.
  • No known public exploits specifically target these vulnerabilities as of the advisory date; focus detection on anomalous login volume/rate rather than known exploit signatures.
  • ·The brute force risk is conditional — exploitation is only efficient in 'specific situations' tied to the insecure initial password generation, not universally against all Mendix accounts.
  • ·Disabling the sign-up feature in Mendix is documented as a mitigation path if patching is not immediately possible.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.