Siemens and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on July 7, 2026, confirming a critical remote code execution (RCE) flaw in Mendix Studio Pro. The vulnerability, tracked as CVE-2026-48192, affects multiple versions of the low-code development environment, enabling attackers to seize control of a Windows machine simply by convincing a user to open a booby-trapped project file.

The flaw and affected versions

Mendix Studio Pro is the desktop-based modeling environment for the Mendix low-code platform, used to build, test, and deploy applications. The vulnerability resides in the application's project file parser. According to the advisory, improper validation of incoming data allows an attacker to craft a malicious .mpr or .mpk project file that, when opened in a vulnerable version of Studio Pro, executes arbitrary code with the privileges of the current user.

The affected releases are:

  • Mendix Studio Pro versions prior to 11.12
  • Specific maintenance versions within the 10.24 and 11.6 lines (no further detail was provided on the exact build numbers for these maintenance lines)

Siemens has assigned a CVSS v4 score of 9.3 (Critical) to the vulnerability, citing low attack complexity, no privileges required, and only user interaction needed for a successful exploit. The vulnerability was discovered internally by the Mendix engineering team; there is no evidence of active exploitation in the wild at the time of disclosure.

What it means for you

For individual developers, the risk is straightforward. Opening a Mendix project file received from an untrusted source—via email, a shared repository, or a download link—could lead to complete compromise of your Windows workstation. Because Studio Pro runs with the user’s own privileges, an attacker could install programs, steal data, or move laterally within a corporate network.

For development team leads and IT administrators, the stakes are higher. Many organisations integrate Mendix Studio Pro into broader CI/CD pipelines. A single compromised developer machine becomes a vector for supply-chain attacks: injected code could be committed to shared repositories, eventually propagating into production applications. Even in air-gapped environments, the risk remains if project files are transferred manually.

Cloud-based Mendix services and the Mendix runtime itself are not directly affected. This is a client-side vulnerability in the locally installed Studio Pro application.

How we got here

The disclosure follows Siemens’ established vulnerability-handling process. After the internal discovery, the product team prepared fixes and coordinated with CISA to publish the advisory. The timeline reflects a measured, coordinated disclosure: no technical details or proof-of-concept code have been released, reducing the immediate risk of weaponisation.

This isn’t the first security hiccup in low-code platforms. As these tools become indispensable for rapid application delivery, their desktop-facing components have drawn scrutiny from both researchers and malicious actors. Just last year, a similar parsing flaw was patched in a competing platform’s modeling tool. The pattern is clear: project files are complex archives, and parsers remain a fertile attack surface.

What to do now

Update immediately. Siemens has released patched versions that close the flaw. Users should upgrade to one of the following:

  • Mendix Studio Pro 11.12 or later
  • If you must remain on the 10.24 or 11.6 maintenance lines, install the specific hotfix builds that Siemens has made available (check the Mendix Platform Status page or your customer portal for exact version numbers)

Verify project file provenance. Until all team members have updated, treat every project file as potentially hostile. Only open files from trusted, known sources. Implement file-integrity checks in your repositories and consider sandboxing the Studio Pro environment on critical workstations.

Monitor the Siemens advisory. Siemens ProductCERT maintains an official advisory for CVE-2026-48192. Subscribe to updates for any changes in severity, affected versions, or mitigation advice. CISA’s ICS Advisory (ICSA-26-188-01) also provides operators with guidance on network defense.

Outlook

This vulnerability is a reminder that even mature, widely adopted development tools require constant vigilance. The low-code boom has expanded the attack surface of the software supply chain; desktop IDEs are often overlooked in security audits yet sit at the front line. Expect Mendix—and other platform vendors—to harden their parsers further. For now, the incident reinforces a basic rule: never trust a file until you’ve verified its source, and always patch your tools first.