CVE-2026-35063
Received Received - Intake
Privilege Escalation via Insecure JWT Role Check in OpenPLC_V

Publication date: 2026-04-09

Last updated on: 2026-04-16

Assigner: ICS-CERT

Description
OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35063
EUVD
EUVD-2026-21035
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openplcproject openplc_v3_firmware *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the OpenPLC_V3 REST API where the endpoint checks if a JSON Web Token (JWT) is present but does not verify the caller's role properly.

As a result, any authenticated user with the role 'user' can delete other users, including administrators, by specifying their user ID.

Additionally, such a user can create new accounts with the role 'admin', effectively escalating their privileges to full administrator access.

Impact Analysis

This vulnerability can have severe impacts including unauthorized deletion of user accounts, even those with administrative privileges.

It also allows privilege escalation by enabling a normal user to create new administrator accounts.

Such actions can lead to loss of control over the system, unauthorized access, potential data breaches, and disruption of normal operations.

Compliance Impact

This vulnerability allows any authenticated user with a basic user role to delete other users, including administrators, or to create new administrator accounts, effectively escalating their privileges to full administrator access.

Such unauthorized privilege escalation and user account manipulation can lead to unauthorized access to sensitive data and critical system functions.

This situation can compromise compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, user authentication, and protection of sensitive data.

Failure to properly verify user roles and prevent unauthorized administrative actions may result in violations of these regulations, potentially leading to data breaches and legal consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart