CVE-2026-36035 in WebServices Server
Summary
by MITRE • 07/15/2026
Incorrect access control in the /api/License/deactivateOffline endpoint of CAXPerts UniversalPlantViewer WebServices Server v2.7.6 allows authenticated attackers with low-level privileges to cause a Denial of Service (DoS) via removing the license from the webserver.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability resides within the CAXPerts UniversalPlantViewer WebServices Server version 2.7.6 where improper access control has been identified in the /api/License/deactivateOffline endpoint. This represents a critical security flaw that allows authenticated users with minimal privileges to exploit a denial of service condition by removing licenses from the web server infrastructure. The issue stems from inadequate authorization checks that fail to properly validate user permissions before executing license removal operations, creating an avenue for privilege escalation and system disruption.
This vulnerability manifests as an incorrect access control scenario classified under CWE-285, which specifically addresses improper authorization within software systems. The flaw enables attackers who possess basic authentication credentials to perform actions beyond their intended scope, effectively allowing them to manipulate critical licensing components that should be restricted to administrators or authorized personnel only. The attack vector requires only legitimate authentication and leverages the system's insufficient permission validation mechanisms.
The operational impact of this vulnerability extends beyond simple service disruption as it creates a potential pathway for more sophisticated attacks within the software ecosystem. When an authenticated user removes licenses from the webserver, they effectively disable legitimate access to licensed software features, causing cascading failures that can affect multiple users and business operations. This unauthorized removal capability directly undermines the integrity of the licensing system and creates opportunities for attackers to gain persistent access or cause extended service interruptions.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1547.001 which covers registry run keys and startup folder manipulation, as the license removal can effectively prevent legitimate software operation and create persistent denial of service conditions. The flaw represents a classic case of insufficient access control validation that allows privilege escalation through unauthorized resource manipulation. Organizations relying on this web services server face potential operational disruptions, compliance violations, and increased attack surface exposure.
Mitigation strategies should focus on implementing proper authorization checks at the endpoint level, ensuring that only users with appropriate administrative privileges can execute license deactivation operations. The system must enforce role-based access control mechanisms that validate user permissions before processing any license modification requests. Additionally, comprehensive logging and monitoring of license-related activities should be implemented to detect unauthorized access attempts and provide audit trails for security incident response. Updates to the software version addressing this specific access control flaw represent the most effective long-term solution, as they correct the underlying authorization validation mechanisms that permit this unauthorized behavior.
The vulnerability demonstrates how seemingly minor access control oversights can create significant operational risks within enterprise software systems. Organizations should conduct thorough security assessments of their web services infrastructure to identify similar authorization gaps that could be exploited by malicious actors with legitimate authentication credentials. Regular security testing, including penetration testing and code reviews focused on authorization mechanisms, becomes essential for maintaining robust security postures in complex software environments where multiple users interact with critical system components.