Description
A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to the underlying file operation functions (fopen/ifstream/ofstream) for file reading and writing. An attacker can exploit this vulnerability by constructing a malicious path to read arbitrary readable files.
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path injection flaw in OpenPLC v3 allows an attacker to supply crafted command‑line arguments that the glue_generator binary forwards unvalidated to file handling APIs. This omission lets the attacker read any file that the process can access, directly exposing system files and potentially secret data. The weakness is centered on improper input validation and path traversal, giving attackers a read‑only confidentiality impact without any immediate denial of service or code execution claim.

Affected Systems

OpenPLC v3 is affected. The vulnerability is present in the binary produced from glue_generator.cpp as referenced in the OpenPLC v3 source commit 2c82b0e79c53f8c1f1458eee15fec173400d6e1a. No additional version specifics are provided, so all builds including this commit are impacted.

Risk and Exploitability

The EPSS score is < 1% and it is not listed in the CISA KEV catalog. The CVSS score is 6.5. Publicly documented exploitation traffic is not reported. The attack vector is inferred to be local or remote if the glue_generator binary can be executed by an attacker, requiring command‑line access. The exposure is limited to files readable by the process, but on many systems this can include configuration files, logs, or other sensitive data. The lack of an official fix note means defenses must rely on patching or manual mitigation.

Generated by OpenCVE AI on May 14, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patched release of OpenPLC v3 as soon as it becomes available.
  • If a patch cannot be applied immediately, enforce a whitelist of allowed directories for the glue_generator binary or modify the command‑line invocation to remove any user‑supplied path components before passing them to file APIs.
  • Restrict the file system permissions of the OpenPLC process so that it only has read access to directories that are required for normal operation, minimizing the potential data exposed by the vulnerability.

Generated by OpenCVE AI on May 14, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Openplcproject
Openplcproject openplc V3
Openplcproject openplc V3 Firmware
CPEs cpe:2.3:h:openplcproject:openplc_v3:-:*:*:*:*:*:*:*
cpe:2.3:o:openplcproject:openplc_v3_firmware:2024-03-09:*:*:*:*:*:*:*
Vendors & Products Openplcproject
Openplcproject openplc V3
Openplcproject openplc V3 Firmware

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Openplc
Openplc openplc
Vendors & Products Openplc
Openplc openplc

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title OpenPLC v3 Path Injection Allows Arbitrary File Read via Command-Line Parameters

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title OpenPLC v3 Path Injection Leading to Arbitrary File Read via Command-Line Parameters
Weaknesses CWE-20

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title OpenPLC v3 Path Injection Leading to Arbitrary File Read via Command-Line Parameters
Weaknesses CWE-20
CWE-22

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to the underlying file operation functions (fopen/ifstream/ofstream) for file reading and writing. An attacker can exploit this vulnerability by constructing a malicious path to read arbitrary readable files.
References

Subscriptions

Openplc Openplc
Openplcproject Openplc V3 Openplc V3 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T13:56:16.663Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31156

cve-icon Vulnrichment

Updated: 2026-05-14T13:55:41.682Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:38.763

Modified: 2026-05-26T15:13:06.800

Link: CVE-2026-31156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:15Z

Weaknesses