Description
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
Published: 2026-05-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CWE‑352) that exists in ScadaBR version 1.2.0. An attacker can entice a logged‑in user to a malicious website that automatically submits requests to the SCADA system, and because those requests carry the victim’s authentication credentials, the application treats them as legitimate actions. This allows the attacker to trigger any operation that the authenticated user is allowed to perform, potentially leading to unauthorized changes, data manipulation, or disruption of system operations.

Affected Systems

ScadaBR version 1.2.0, owned by the vendor ScadaBR:ScadaBR, is the affected product. No additional products or versions are listed in the advisory.

Risk and Exploitability

The CVSS base score is 8.6, indicating high severity, while the EPSS score is not available and the issue is not listed in CISA KEV. The attack vector is inferred to be web‑based, requiring the victim to be authenticated and to visit a malicious webpage that automatically submits a request. The exploit does not require network privileges; it relies on the victim’s browser to send authenticated requests to the application, enabling the attacker to perform any privileged function the user can.

Generated by OpenCVE AI on May 19, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a ScadaBR version that eliminates the CSRF flaw; consult the vendor’s release notes for specifics.
  • Enable anti‑CSRF tokens on all state‑changing requests in the web interface and ensure that the server validates these tokens before processing actions.
  • Limit the scope of sensitive authenticated operations or add an extra confirmation step, such as requiring a second factor or a manual prompt, to prevent automated submissions.
  • Monitor system logs for unusual request patterns or unauthorized state changes and investigate any anomalies promptly.

Generated by OpenCVE AI on May 19, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Scadabr
Scadabr scadabr
Vendors & Products Scadabr
Scadabr scadabr

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
Title Cross-Site request forgery (CSRF) in ScadaBR
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Scadabr Scadabr
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-19T18:00:59.900Z

Reserved: 2026-05-14T15:25:11.050Z

Link: CVE-2026-8604

cve-icon Vulnrichment

Updated: 2026-05-19T18:00:54.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T18:16:32.037

Modified: 2026-05-19T21:01:28.183

Link: CVE-2026-8604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T18:30:11Z

Weaknesses