Clarification Required on Penetration Test Finding – Unauthenticated Access via /xas Endpoint

0
We recently received a penetration testing report that identified a Critical vulnerability related to unauthenticated access to sensitive information through the Mendix /xas endpoint.According to the report, an unauthenticated request to /xas using the get_session_data action was able to return application metadata such as user information, GUIDs, microflow details, plugins, and widgets. The recommendation provided was to ensure that the /xas endpoint cannot be called without authentication.We would like clarification on the following:Is it expected behavior for the /xas endpoint to respond to unauthenticated requests under any Mendix configuration?Are there known Mendix runtime settings or security configurations that could result in this behavior?What is the recommended Mendix approach to verify and remediate this finding?Are there any platform-level security best practices specifically related to securing the /xas endpoint?We are currently validating the finding and would appreciate guidance from the Mendix support team regarding expected behavior and recommended remediation steps.Thank you.
asked
1 answers
0

The /xas endpoint is a Mendix runtime endpoint and it is used for client-runtime communication. It is not an API endpoint that should normally be exposed as a public unauthenticated service.


From my experience, I would first verify the exact request that was executed by the penetration test, because the result can depend on the application configuration and runtime version.


Things I would check:

  • Verify the application security level is not configured in a way that allows anonymous runtime access.
  • Check if anonymous users are enabled and what access they have.
  • Review whether any pages, microflows, or entities exposed to anonymous users are unintentionally allowing metadata access.
  • Confirm the Mendix Runtime version and apply the latest supported patches.


The /xas endpoint itself should not be treated as a replacement for published REST/SOAP APIs. If an unauthenticated request can retrieve internal application metadata, I would consider that a security finding and validate it with the Mendix version/support team.


For remediation, the usual approach would be:

  • Disable anonymous access if it is not required.
  • Ensure anonymous roles have the minimum required permissions.
  • Restrict application access through authentication.
  • Place the application behind the recommended infrastructure controls (reverse proxy/WAF) if required by your security policy.
  • Retest after configuration changes.


Kindly mark this as the accepted answer if it helps.

answered