Description
OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.
Published: 2026-04-09
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

OpenPLC_V3 contains an Initialization of a Resource with an Insecure Default flaw that can allow an attacker to bypass API authentication and gain unauthorized access to the system. This vulnerability poses a high confidentiality risk, enabling potential control over PLC functions and data.

Affected Systems

The affected vendor is OpenPLC_V3 with the product OpenPLC_V3. No specific version information is listed, so all current releases of OpenPLC_V3 may be susceptible.

Risk and Exploitability

With a CVSS score of 9.2 the vulnerability is considered critical. EPSS data is not available and the flaw is not tracked in the CISA KEV catalog. The likely attack vector is remote access to the exposed API, as inferred from the description of authentication bypass. Exploitation would require an attacker to interact with the vulnerable API endpoint, making the flaw highly actionable in networked environments.

Generated by OpenCVE AI on April 9, 2026 at 20:54 UTC.

Remediation

Vendor Workaround

OpenPLC_v3 is now considered to be end of life. Users are recommended to upgrade to OpenPLC Runtime v4 ( https://github.com/autonomy-logic/openplc-runtime ).

OpenCVE Recommended Actions

  • Upgrade to OpenPLC Runtime v4 as recommended by the vendor
  • Confirm that API authentication mechanisms are enabled after the upgrade
  • Perform a security review of PLC configurations to ensure no insecure defaults remain

Generated by OpenCVE AI on April 9, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Openplcproject openplc V3 Firmware
CPEs cpe:2.3:h:openplcproject:openplc_v3:-:*:*:*:*:*:*:*
cpe:2.3:o:openplcproject:openplc_v3_firmware:-:*:*:*:*:*:*:*
Vendors & Products Openplcproject openplc V3 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openplcproject
Openplcproject openplc V3
Vendors & Products Openplcproject
Openplcproject openplc V3

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.
Title Initialization of a resource with an insecure default in OpenPLC_V3
Weaknesses CWE-1188
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H'}

Subscriptions

Openplcproject Openplc V3 Openplc V3 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-10T18:02:22.971Z

Reserved: 2026-04-06T15:01:14.335Z

Link: CVE-2026-28205

cve-icon Vulnrichment

Updated: 2026-04-10T18:02:19.224Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:23.370

Modified: 2026-04-28T17:17:50.793

Link: CVE-2026-28205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:52Z

Weaknesses