CVE-2026-35063 in OpenPLC v3
Summary
by MITRE • 04/09/2026
OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2026-35063 resides within the OpenPLC_V3 platform's REST API implementation, representing a critical authorization flaw that undermines the system's access control mechanisms. This issue stems from a fundamental misconfiguration in the API's role-based access control (RBAC) enforcement where the system correctly identifies when a user is authenticated through JWT tokens but fails to validate whether the authenticated user possesses the appropriate privileges to perform specific operations. The absence of proper role verification creates a dangerous gap in the security architecture that allows malicious actors to exploit the system's trust model.
The technical flaw manifests as a complete breakdown in privilege validation logic within the REST API endpoints responsible for user management operations. When a user attempts to delete another user or create new accounts, the system only verifies that a valid JWT token is present in the request headers without confirming whether the token's associated user has administrative privileges. This oversight directly violates the principle of least privilege and demonstrates a clear failure in implementing proper authorization checks. The vulnerability falls under CWE-285, which specifically addresses insufficient authorization issues in software systems, where the system fails to properly enforce access controls for operations that require elevated privileges.
The operational impact of this vulnerability is severe and far-reaching, as it enables any user with the basic 'user' role to escalate their privileges and assume full administrative control over the OpenPLC_V3 system. An attacker could leverage this weakness to delete critical administrator accounts, effectively locking out legitimate administrators and rendering the system unusable. Additionally, the ability to create new accounts with administrative privileges creates a persistent backdoor that could remain undetected for extended periods. This vulnerability directly maps to ATT&CK technique T1078.004, which covers legitimate credentials and cloud accounts, as the exploitation involves using existing user credentials to gain unauthorized administrative access. The consequences extend beyond simple privilege escalation, potentially allowing attackers to modify system configurations, access sensitive data, and compromise the integrity of the entire industrial control system infrastructure.
Mitigation strategies for this vulnerability must address both the immediate authorization gap and the underlying architectural issues that permitted such a flaw to exist. Organizations should implement comprehensive role-based access control validation for all user management operations, ensuring that any request to delete or create accounts requires explicit verification of administrative privileges before proceeding. The system should enforce mandatory access controls that prevent users from performing operations outside their designated roles regardless of their authentication status. Additionally, implementing proper logging and monitoring of administrative actions would help detect unauthorized privilege escalation attempts. Security hardening measures should include regular access control reviews, privilege auditing, and the implementation of multi-factor authentication for administrative accounts. The solution aligns with security best practices outlined in NIST SP 800-53 and ISO 27001 standards for access control management, requiring that all system operations be validated against appropriate authorization policies to prevent unauthorized access and privilege escalation attacks.