Description
OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Upgrade
AI Analysis

Impact

An authenticated user can delete any other user or create new accounts with administrator privileges in OpenPLC V3 because the REST API only checks for the presence of a JWT token and does not verify the caller’s role, exposing a missing authorization flaw (CWE‑862). The result is a local or remote user with normal permissions can gain full administrative control, delete administrators, or create new admin accounts, compromising confidentiality and integrity of the system.

Affected Systems

OpenPLC V3, the standalone open‑source PLC simulator and runtime platform. The product is listed as end of life and only the V3 version is affected.

Risk and Exploitability

The vulnerability scores an 8.7 on the CVSS scale, indicating a high severity. The EPSS score is not available, and the issue is not recorded in CISA’s KEV catalog, but the required attack conditions are simple: an attacker must authenticate to the REST API. Once authenticated, the flaw can be exploited with minimal effort to elevate privileges, making it a significant risk for any environment that still runs OpenPLC V3 and relies on the default administrator account.

Generated by OpenCVE AI on April 9, 2026 at 20:53 UTC.

Remediation

Vendor Workaround

OpenPLC_v3 is now considered to be end of life. Users are recommended to upgrade to OpenPLC Runtime v4 ( https://github.com/autonomy-logic/openplc-runtime ).

OpenCVE Recommended Actions

  • Upgrade to OpenPLC Runtime v4, as recommended by the vendor.
  • If migration to v4 is not possible, restrict or disable the REST API user management endpoints until a proper patch is applied.

Generated by OpenCVE AI on April 9, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Openplcproject openplc V3 Firmware
CPEs cpe:2.3:h:openplcproject:openplc_v3:-:*:*:*:*:*:*:*
cpe:2.3:o:openplcproject:openplc_v3_firmware:-:*:*:*:*:*:*:*
Vendors & Products Openplcproject openplc V3 Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openplcproject
Openplcproject openplc V3
Vendors & Products Openplcproject
Openplcproject openplc V3

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.
Title Missing Authorization in OpenPLC_V3
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openplcproject Openplc V3 Openplc V3 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-10T18:04:45.721Z

Reserved: 2026-04-06T15:01:14.379Z

Link: CVE-2026-35063

cve-icon Vulnrichment

Updated: 2026-04-10T18:04:38.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:25.833

Modified: 2026-04-16T20:49:50.383

Link: CVE-2026-35063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:49Z

Weaknesses