Skip to main content

Openplc V3 CVE-2026-35063

| EUVDEUVD-2026-21035 HIGH
Missing Authorization (CWE-862)
2026-04-09 icscert
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 16, 2026 - 20:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 19:45 euvd
EUVD-2026-21035
Analysis Generated
Apr 09, 2026 - 19:45 vuln.today
CVE Published
Apr 09, 2026 - 19:00 nvd
HIGH 8.7

DescriptionCVE.org

OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.

AnalysisAI

Authorization bypass in OpenPLC_V3 REST API allows authenticated low-privilege users to delete administrator accounts or create new admin-level accounts. The API validates JWT token presence but fails to enforce role-based access control, enabling any user with basic authentication to escalate privileges to full administrator access or remove existing administrators by manipulating user ID parameters. This affects all versions of OpenPLC_V3. No public exploit identified at time of analysis.

Technical ContextAI

CWE-862 missing authorization vulnerability. JWT authentication mechanism verifies token validity but omits role attribute validation in user management endpoints. Authenticated requests with role=user bypass intended RBAC enforcement, allowing unrestricted administrative operations including account creation with arbitrary role assignment and user deletion across privilege boundaries.

RemediationAI

No vendor-released patch identified at time of analysis. Recommended immediate actions: implement network segmentation to restrict REST API access to trusted administrative networks only; disable remote API access if not operationally required; enforce principle of least privilege by removing unnecessary user accounts with authentication credentials; monitor authentication logs for unauthorized user creation or deletion attempts. Organizations should review CISA advisory ICSA-25-345-10 for vendor coordination status and mitigation guidance: https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10. Consider deploying reverse proxy with mandatory role verification middleware until vendor releases patched version with proper RBAC enforcement.

Share

CVE-2026-35063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy