Back to search
CVE-2026-35063
Published: Apr 9, 2026
Modified: Apr 10, 2026
PUBLISHED
Description
OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.
| Vendor | Product | Versions |
|---|---|---|
OpenPLC_V3 | OpenPLC_V3 | affected All versions |
Weaknesses (CWE)
References
https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10
government-resource
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now