The S-Unit Top 10 Mendix Vulnerabilities 2025
Discover the most common Mendix security risks
As a Mendix security expert, we help organizations quickly identify and prevent security risks in Mendix low-code platforms. That’s why we’ve introduced The S-Unit Top 10 Mendix Vulnerabilities, inspired by the OWASP Top 10.The S-Unit Top 10 supports developers and IT managers in recognizing and to prevent vulnerabilities that could compromise the security of Mendix applications.
The S-Unit Top 10: checklist for your Mendix applications
Every application has weak spots. But do you know which security risks occur most often in Mendix? With the The S-Unit Top 10 Mendix Vulnerabilities, you can see them all in one overview.
The S-Unit Top 10 is based on more than ten years of experience. It draws on offensive security, hundreds of Mendix penetration tests, realistic attack scenarios, and extensive report analyses. The overview brings together the vulnerabilities we encounter most often in practice. A helpful checklist to keep your Mendix applications secure.
Stay up to date
The Mendix platform is constantly evolving with new features and security measures. As the platform grows, the threat landscape also changes. Because Mendix is also our client, we are among the first to learn about new developments and test releases before they become available. By continuously updating the The S-Unit Top 10, we provide the most up-to-date insights into the key Mendix security risks. Stay up to date with the latest insights on our website.
Looking for more information about The S-Unit Top 10? Reach out to us.
The S-Unit Top 10
User roles are often misconfigured. This can include assigning incorrect module roles (also from marketplace modules), granting unnecessary admin rights, or providing excessive privileges. Such misconfigurations increase the risk of misuse.
User roles are often misconfigured, for example by assigning incorrect module roles, unnecessary admin rights, or excessive privileges. This increases the risk of misuse.
Microflows Microflows are the heart of Mendix applications, but often also a source of vulnerabilities. Examples include insecure access rights, incorrect use of “Apply entity access,” and poor implementation of sensitive logic.
Published integrations often fail due to missing authentication, misconfigured access roles, or insecure import/export mapping. As a result, sensitive information may become accessible to unauthorized users.
Consuming integrations also introduces risks. Insecure URL structures, improperly formatted JSON/XML/SOAP payloads, and insufficient data validation can enable manipulation and misuse.
Many applications still run on outdated runtimes, old Java libraries, deprecated marketplace modules, or unsupported widgets. These components often contain known vulnerabilities that can be easily exploited.
Custom authentication is often misconfigured. Examples include insecure microflows in published integrations, risky request handlers, or poorly implemented login handlers. A single mistake in this process can make the entire application vulnerable.
Custom Java code often unintentionally introduces risks. Examples include XPath injections in request handlers, direct object references in system/sudo contexts, or insecure use of XML parsers.
Client-side vulnerabilities are often underestimated. Examples include exposed sensitive constants, hard-coded passwords, or XSS (cross-site scripting) through HTML widgets.
Cloud configurations largely determine the security of an application. Common issues include missing or weak Content Security Policy (CSP) headers, reusing secrets across environments, and unintentionally exposing documentation handlers.
Frequently Asked Questions (FAQ)
De OWASP Top 10. The OWASP Top 10 describes risks for web applications in general. The S-Unit Top 10 specifically focuses on vulnerabilities we encounter in practice within the Mendix platform.
Regular penetration tests and security audits help identify risks in time. In collaboration with Omnext, we have developed a Mendix-specific solution that continuously and automatically scans for vulnerabilities. By integrating the The S-Unit Top 10 into the CI/CD pipeline, risks are detected early and made directly visible. This reduces reliance on costly manual tests and keeps security proactively under control.
