Description
An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user.
Published: 2026-01-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Update
AI Analysis

Impact

An insertion of sensitive information into log files occurs in B&R PVI client versions older than 6.5. The problem arises when the logging function, which is disabled by default, is explicitly enabled. An attacker who has already authenticated locally to the client can exploit this to capture credential information processed by the application. The vulnerability is a classic example of CWE‑532, where confidential data is inadvertently recorded in logs.

Affected Systems

B&R Industrial Automation GmbH Process Visualization Interface (PVI) client software versions prior to 6.5 are affected. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score is 5.1, indicating a moderate risk. The EPSS score is below 1 %, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low likelihood of widespread exploitation. The attack requires local access and valid user authentication, and it requires the attacker to have granted permission to enable logging. Even in the presence of exploitation, the damage is confined to the local system’s environment, but it could expose credential material to the attacker.

Generated by OpenCVE AI on April 18, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PVI client to version 6.5 or newer, which removes the vulnerable logging behavior.
  • If a timely upgrade is not possible, keep the logging feature disabled so that sensitive data is not recorded.
  • Enforce strict local access controls to limit the pool of users who can authenticate to the PVI client.

Generated by OpenCVE AI on April 18, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Br-automation
Br-automation process Visualization Interface
Vendors & Products Br-automation
Br-automation process Visualization Interface

Thu, 29 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
Description An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user.
Title Insertion of Sensitive Information into Logfile
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Br-automation Process Visualization Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: ABB

Published:

Updated: 2026-01-29T18:45:35.056Z

Reserved: 2026-01-14T10:12:54.468Z

Link: CVE-2026-0936

cve-icon Vulnrichment

Updated: 2026-01-29T18:45:31.239Z

cve-icon NVD

Status : Deferred

Published: 2026-01-29T16:16:14.327

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses