CVE-2026-0936
Unknown Unknown - Not Provided
Sensitive Information Exposure in B&R PVI Client Logging

Publication date: 2026-01-29

Last updated on: 2026-01-29

Assigner: Asea Brown Boveri Ltd. (ABB)

Description
An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0936
EUVD
EUVD-2026-4973
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b&r pviclient to 6.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0936 is a vulnerability in B&R PVI client versions prior to 6.5.0 where sensitive information, such as credentials processed by the application, can be inserted into log files. An authenticated local attacker with access to the client system can exploit this logging feature to gather sensitive data. The logging function is disabled by default and must be explicitly enabled by the user. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive credential information if an attacker gains authenticated local access and logging is enabled. This could compromise the security of the system by exposing credentials that may be used for further attacks. However, since logging is disabled by default, the risk is reduced unless logging is explicitly enabled and log files are not properly secured or deleted. [1]

Detection Guidance

This vulnerability can be detected by checking if the B&R PVI client application version is prior to 6.5.0 and if logging is enabled on the client system. Since logging is disabled by default and must be explicitly enabled by the user, detection involves verifying the logging configuration and inspecting log files for sensitive information. Specific commands are not provided in the available resources, but general steps include verifying the installed PVI client version and checking the logging settings and log file contents on the local system. [1]

Mitigation Strategies

Immediate mitigation steps include updating the B&R PVI client application to version 6.5.0 or later, which resolves the vulnerability. Additionally, users should enable logging only when necessary for troubleshooting or analysis, securely delete log files when no longer needed, and restrict access to log storage directories to authorized users only. General cybersecurity best practices such as network isolation, physical access controls, limiting network exposure, keeping software and firmware up to date, using secure remote access methods like VPNs, and scanning imported data for malware are also recommended. [1]

Compliance Impact

The provided resources do not explicitly address how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability involves insertion of sensitive information into log files that could expose credential information, it may pose a risk to data confidentiality and therefore could impact compliance with regulations that require protection of sensitive data. Mitigation steps include restricting access to logs and secure deletion, which align with best practices for compliance, but no direct compliance impact is stated. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart