Question

Security Issue- Broken Access Control - PAS EU _GCDBMS_ UI

0

We have received a security issue regarding normal users can download the private key as they cannot view in the UI. Observed that in the code level only Admin having full read and write access for the private key, but still normal users can download the key. Below is the link shared by the security team, here is the GUID, changed date and private key how can we restrict this to normal user. https://customerdeliveryportal-accp.mendixcloud.com/file?guid=161848111608627201&changedDate=1735821417171&name=private_key.pem&target=inline I understand that it is coming from Mendix cloud how can we restrict in the mendix cloud. Could you please suggest. Please find the attached screenshots.

asked 2025-10-08

Deepa GJ

1 answers

Johan Flikweert · Accepted Answer · 2025-10-08

Hi Deepa GJ,

The access rules of the most specific entity are applied. Assuming that this FileDocument is of the type 'SFTP.Key', only users with the Administrators role in this module are able to download it. So the reported issue seems indeed weird, seeing your configured access rules.

Please check the following:

* Did you accidentally assign the Administrator module role of the SFTP module to other User Roles?

* Did you recently change the access rules and are tests running on a different version?

* Are there specializations on SFTP.Key which have different access rules defined?

* Is the file (161848111608627201) indeed an instance of SFTP.Key or did it somehow end up in a different table (with different access rules)?

BTW: If you are really running on 9.24.14, I would strongly recommend to upgrade, as there are several fixes and security patches released since Jan '24.

Good luck!