Description
OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.
Published: 2026-04-09
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure
Action: Upgrade
AI Analysis

Impact

OpenPLC_V3 stores configuration passwords in plain text, allowing an attacker to read these credentials and gain unauthorized access to sensitive data and control of the PLC environment. This flaw, identified as CWE‑256, represents a direct breach of confidentiality that could lead to full system compromise. The vulnerability enables an adversary to obtain credentials that can be reused or manipulated to elevate privileges within the PLC network.

Affected Systems

All currently released versions of OpenPLC_V3 are potentially affected, as the CNA lists the product without specifying version restrictions. Any deployed instance running OpenPLC_V3 that retains its default storage mechanism for passwords is at risk.

Risk and Exploitability

The CVSS score of 9.2 categorizes this issue as Critical, indicating a high potential for impact. While EPSS data is not available, the lack of vendor mitigation and the End‑of‑Life status suggest that exploitation could be practical for attackers who achieve read access to the system’s configuration files, either through local compromise or compromised credentials. The vulnerability is not listed in CISA’s KEV catalog, implying no confirmed widespread exploitation yet, but the attack vector is likely local or through remote access to privileged accounts that can read the password file.

Generated by OpenCVE AI on April 9, 2026 at 21:35 UTC.

Remediation

Vendor Workaround

OpenPLC_v3 is now considered to be end of life. Users are recommended to upgrade to OpenPLC Runtime v4 ( https://github.com/autonomy-logic/openplc-runtime ).

OpenCVE Recommended Actions

  • Upgrade OpenPLC to OpenPLC Runtime v4

Generated by OpenCVE AI on April 9, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openplcproject
Openplcproject openplc V3
Vendors & Products Openplcproject
Openplcproject openplc V3

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.
Title Plaintext storage of a password in OpenPLC_V3
Weaknesses CWE-256
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openplcproject Openplc V3
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-10T18:03:50.288Z

Reserved: 2026-04-06T15:01:14.388Z

Link: CVE-2026-35556

cve-icon Vulnrichment

Updated: 2026-04-10T18:03:45.930Z

cve-icon NVD

Status : Received

Published: 2026-04-09T19:16:25.663

Modified: 2026-04-09T19:16:25.663

Link: CVE-2026-35556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:50Z

Weaknesses