DIVD research exposes configuration issues in 2,000+ Mendix environments
Digital development is accelerating. Organizations are increasingly building business-critical processes on low-code platforms. That speed creates opportunities, but also requires clear frameworks and mature governance.
Recent research by our colleagues Rudy Dijkstra and Stan Plasmeijer — both working at SUPERP and active as volunteers at the Dutch Institute for Vulnerability Disclosure — highlights the importance of this. In collaboration with DIVD, large-scale research was conducted into publicly accessible application environments. More than 2,000 environments were identified where configuration issues could lead to unintended data access.
Rudy Dijkstra, an ethical hacker, previously focused on manually pentesting Mendix applications. As this process is time-consuming, he developed a tool to automate it. His solution, Menscan.io, automatically detects configuration issues in Mendix applications.
His colleague Stan Plasmeijer further expanded this tooling, enabling not just individual applications, but large numbers of environments to be analyzed at once.
A global pattern emerges
The tooling was subsequently used within DIVD for large-scale research. It became clear that these were not isolated incidents, but a recurring pattern. Similar configuration issues were found across different industries and multiple countries.
The exposed data ranged from names and contact details to internal records, and in some cases even documents or identity information. This creates risks such as data misuse, fraud, and reportable data breaches.
The research focused on applications built with Mendix. The findings show that this is not a fundamental issue within the platform itself, but rather related to configuration and authorization. Incorrectly configured access rights or insufficiently secured components can introduce risks, especially when applications are publicly accessible.
Responsible disclosure and public interest
The research was conducted within the context of DIVD, an independent volunteer organization dedicated to improving internet security.
Their approach is based on responsible disclosure: vulnerabilities are first reported confidentially to the relevant organizations, allowing them to take corrective action before any public disclosure.
Research like this plays an important role in strengthening digital resilience and public safety. It helps uncover structural risks that would otherwise remain unnoticed.
Governance requires a structural approach
Application landscapes are growing. More teams are building. More solutions are being deployed. With the rise of AI-assisted development, software is being created faster than ever.
This is a positive development. At the same time, it increases the risk that security and configuration receive less attention than functionality.
Configuration is not a detail. It determines who has access to which data, and under what conditions. When multiple teams build without clear frameworks and oversight, vulnerabilities can emerge.
Not because the technology falls short, but because governance is not structurally embedded.
Software development therefore requires visibility: who builds what, how access is configured, and which controls are in place before something goes live. Governance is not a document, but a continuous process that evolves alongside development speed.
Structural control within the Mendix landscape
Within MxBlue | SUPERP, we support organizations in establishing this structural governance. Where additional security expertise is required, we collaborate with the SUPERP Security team.
We also focus on continuous quality monitoring through our partnership with Blue Storm and the AppControl solution. With automated policy checks, audit logging, and real-time reporting, organizations gain continuous insight into quality, security, and compliance — at both application and portfolio level.
Digital acceleration is a conscious choice. Structural governance ensures that this choice remains controlled and sustainable.
Want to understand whether your Mendix applications are properly configured and how to structurally embed governance? Get in touch with Sander van den Deijssel — he’ll be happy to walk you through it.
