ID

VAR-202604-1660


CVE

CVE-2026-35063


TITLE

OpenPLC Project of OpenPLC_v3  Lack of Authentication Vulnerability in Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2026-011712

DESCRIPTION

OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access. role=admin You can create a new account to gain full administrator access.All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software may stop working completely. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-35063 // JVNDB: JVNDB-2026-011712

AFFECTED PRODUCTS

vendor:openplcprojectmodel:openplc v3scope:eqversion: -

Trust: 1.0

vendor:openplcmodel:v3scope:eqversion:openplc_v3 firmware

Trust: 0.8

vendor:openplcmodel:v3scope: - version: -

Trust: 0.8

vendor:openplcmodel:v3scope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2026-011712 // NVD: CVE-2026-35063

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2026-35063
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2026-35063
value: HIGH

Trust: 1.0

NVD: CVE-2026-35063
value: HIGH

Trust: 0.8

nvd@nist.gov: CVE-2026-35063
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2026-35063
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-011712 // NVD: CVE-2026-35063 // NVD: CVE-2026-35063

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.0

problemtype:Lack of authentication (CWE-862) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-011712 // NVD: CVE-2026-35063

PATCH

title:OpenPLC_V3 (Update A) | CISAurl:https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10

Trust: 0.8

sources: JVNDB: JVNDB-2026-011712

EXTERNAL IDS

db:NVDid:CVE-2026-35063

Trust: 2.6

db:ICS CERTid:ICSA-25-345-10

Trust: 1.0

db:JVNDBid:JVNDB-2026-011712

Trust: 0.8

sources: JVNDB: JVNDB-2026-011712 // NVD: CVE-2026-35063

REFERENCES

url:https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-35063

Trust: 0.8

sources: JVNDB: JVNDB-2026-011712 // NVD: CVE-2026-35063

SOURCES

db:JVNDBid:JVNDB-2026-011712
db:NVDid:CVE-2026-35063

LAST UPDATE DATE

2026-06-19T22:32:59.643000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-011712date:2026-04-20T02:39:00
db:NVDid:CVE-2026-35063date:2026-04-16T20:49:50.383

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-011712date:2026-04-20T00:00:00
db:NVDid:CVE-2026-35063date:2026-04-09T20:16:25.833