Description
A security issue exists within FactoryTalk® Services Platform (FTSP), allowing an attacker to bypass JWT signature validation during Okta Web Authentication. The vulnerability stems from the application not verifying that the JWT algorithm is configured for RSA, enabling an attacker to set the algorithm to "none" and craft forged tokens. This could allow an authenticated low-privilege user to impersonate any authorized user on the FTSP server, resulting in unauthorized access to system configuration and the ability to grant permissions to other systems protected by FTSP.
Published: 2026-07-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

Vendor Solution

Apply patch  RAID 1158263 https://support.rockwellautomation.com/app/answers/answer_view/a_id/1158263/~/patch%3A-okta-authentication-improvements%2C-factorytalk-services-6.60-

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Rockwellautomation
Rockwellautomation factorytalk Services Platform
Vendors & Products Rockwellautomation
Rockwellautomation factorytalk Services Platform

Tue, 14 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 15:15:00 +0000

Type Values Removed Values Added
Description A security issue exists within FactoryTalk® Services Platform (FTSP), allowing an attacker to bypass JWT signature validation during Okta Web Authentication. The vulnerability stems from the application not verifying that the JWT algorithm is configured for RSA, enabling an attacker to set the algorithm to "none" and craft forged tokens. This could allow an authenticated low-privilege user to impersonate any authorized user on the FTSP server, resulting in unauthorized access to system configuration and the ability to grant permissions to other systems protected by FTSP.
Title Rockwell Automation FactoryTalk® Services Platform FTSP - Weak Authentication via JWT Validation Bypass
Weaknesses CWE-1390
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Rockwellautomation Factorytalk Services Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: Rockwell

Published:

Updated: 2026-07-14T15:26:53.203Z

Reserved: 2026-06-02T19:25:13.142Z

Link: CVE-2026-10714

cve-icon Vulnrichment

Updated: 2026-07-14T15:26:49.081Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T16:30:04Z

Weaknesses