Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.
AnalysisAI
Authorization bypass in OpenPLC_V3 REST API allows authenticated low-privilege users to delete administrator accounts or create new admin-level accounts. The API validates JWT token presence but fails to enforce role-based access control, enabling any user with basic authentication to escalate privileges to full administrator access or remove existing administrators by manipulating user ID parameters. This affects all versions of OpenPLC_V3. No public exploit identified at time of analysis.
Technical ContextAI
CWE-862 missing authorization vulnerability. JWT authentication mechanism verifies token validity but omits role attribute validation in user management endpoints. Authenticated requests with role=user bypass intended RBAC enforcement, allowing unrestricted administrative operations including account creation with arbitrary role assignment and user deletion across privilege boundaries.
RemediationAI
No vendor-released patch identified at time of analysis. Recommended immediate actions: implement network segmentation to restrict REST API access to trusted administrative networks only; disable remote API access if not operationally required; enforce principle of least privilege by removing unnecessary user accounts with authentication credentials; monitor authentication logs for unauthorized user creation or deletion attempts. Organizations should review CISA advisory ICSA-25-345-10 for vendor coordination status and mitigation guidance: https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10. Consider deploying reverse proxy with mandatory role verification middleware until vendor releases patched version with proper RBAC enforcement.
More in Openplc V3
View allAuthentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through i
Plaintext credential storage in OpenPLC_V3 enables network-based attackers to retrieve authentication credentials withou
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21035