Skip to main content

Factorytalk Services Platform CVE-2026-10714

| EUVDEUVD-2026-43700 HIGH
Weak Authentication (CWE-1390)
2026-07-14 Rockwell GHSA-6w37-3rrj-mg8j
8.8
CVSS 4.0 · Vendor: Rockwell
Share

Severity by source

Vendor (Rockwell) PRIMARY
8.8 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (Rockwell) · only source for this CVE.

CVSS VectorVendor: Rockwell

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 15:37 vuln.today
CVE Published
Jul 14, 2026 - 15:02 cve.org
HIGH 8.8

DescriptionCVE.org

A security issue exists within FactoryTalk® Services Platform (FTSP), allowing an attacker to bypass JWT signature validation during Okta Web Authentication. The vulnerability stems from the application not verifying that the JWT algorithm is configured for RSA, enabling an attacker to set the algorithm to "none" and craft forged tokens. This could allow an authenticated low-privilege user to impersonate any authorized user on the FTSP server, resulting in unauthorized access to system configuration and the ability to grant permissions to other systems protected by FTSP.

AnalysisAI

Authentication bypass in Rockwell Automation FactoryTalk Services Platform (FTSP) lets an authenticated low-privilege user forge JWT tokens during Okta Web Authentication because the application fails to enforce the RSA signing algorithm, permitting the classic 'alg:none' attack. A successful attacker can impersonate any authorized user, reaching system configuration and granting permissions to other systems that FTSP protects. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, inventory all FTSP deployments and identify those using Okta Web Authentication; restrict administrative access through network controls and review authentication logs for suspicious token issuance or privilege escalation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10714 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy