CVE-2026-14480 in Runtime
Summary
by MITRE • 07/11/2026
OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑upload workflow. The application stores an attacker‑supplied filename (prog_file) directly into the Programs.File database field and later uses this value as the destination path for an uploaded file without validating or restricting the path. Because Python os.path.join() honors attacker‑controlled absolute paths, an authenticated user can write arbitrary files anywhere writable by the OpenPLC webserver process. In the default build pipeline, all C++ source files within the OpenPLC runtime core directory are automatically compiled into the executable runtime binary. By writing a malicious .cpp file into this directory, an authenticated attacker can escalate the arbitrary file write into arbitrary native code execution when the operator triggers a normal program compilation and runtime start.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The OpenPLC Runtime v3 vulnerability represents a critical authenticated arbitrary file write flaw that exploits weaknesses in the legacy web UI program-upload workflow. This vulnerability stems from insufficient input validation and path sanitization within the application's file handling mechanisms, creating an exploitable condition where attacker-controlled data directly influences system-level operations. The flaw specifically manifests when the application stores an attacker-supplied filename value into the Programs.File database field without proper sanitization or restriction of the path components. This design oversight allows malicious actors with valid credentials to manipulate the destination path for uploaded files through the prog_file parameter.
The technical exploitation leverages Python's os.path.join() function behavior, which respects absolute paths supplied by attackers rather than enforcing strict relative path constraints. This characteristic enables authenticated users to craft malicious file paths that bypass normal directory boundaries and write files to arbitrary locations accessible by the OpenPLC webserver process. The vulnerability classification aligns with CWE-73 Path Traversal and CWE-94 Code Injection, as it combines directory traversal techniques with code execution capabilities through file manipulation. From an operational perspective, this vulnerability creates a significant attack surface that can be exploited by authenticated threat actors who may have legitimate access to the system but lack administrative privileges.
The impact extends beyond simple file manipulation due to the runtime's automatic compilation process, which transforms C++ source files into executable binaries during normal operation. This creates an escalation path where an attacker can write malicious .cpp files directly into the OpenPLC runtime core directory and subsequently trigger arbitrary native code execution when legitimate program compilation occurs. The default build pipeline's automatic compilation of all C++ source files within the runtime core directory transforms this vulnerability from a simple file write primitive into a full code execution capability, enabling attackers to inject malicious functionality that executes with the privileges of the OpenPLC service account. This exploitation pattern follows ATT&CK technique T1059.006 Command and Scripting Interpreter for C++ code execution and T1203 Exploitation for Client Execution through legitimate system workflows.
The vulnerability's severity is exacerbated by the fact that it requires only authenticated access to the web UI, which may be available to operational technology personnel or authorized users with legitimate business requirements. This authentication requirement does not sufficiently protect against malicious insiders or compromised user accounts, making the attack vector particularly dangerous in environments where privilege separation is not properly enforced. Effective mitigation strategies must address both the immediate path traversal vulnerability through input validation and sanitization of file names and paths, as well as the broader architectural issues that enable code injection through legitimate compilation workflows. Organizations should implement strict path validation using absolute path normalization, restrict write permissions to critical directories, and consider privilege separation between the web interface and compilation processes to prevent unauthorized code execution.
Security controls should include implementing mandatory file extension validation, enforcing directory restrictions for file uploads, and conducting regular security assessments of legacy web interfaces that may contain similar vulnerabilities. The vulnerability demonstrates the importance of secure coding practices in industrial control systems where the compromise of a single authenticated component can lead to complete system takeover through automated compilation processes. Network segmentation and monitoring of file system modifications can provide additional defense-in-depth measures, while regular updates and patch management should address known vulnerabilities in legacy components that may not receive ongoing security support from vendors.