CVE-2026-8046
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in User Account Deletion

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: CERT VDE

Description
The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-8046
EUVD
EUVD-2026-31799
Affected Vendors & Products
Showing 26 associated CPEs
Vendor Product Version / Range
codesys control to 3.5.22.20 (exc)
codesys control to 4.21.0.0 (exc)
codesys control_rte to 3.5.22.20 (exc)
codesys control_rte to 4.21.0.0 (exc)
codesys runtime_toolkit to 3.5.22.20 (exc)
codesys runtime_toolkit to 4.21.0.0 (exc)
codesys hmi to 3.5.22.20 (exc)
codesys hmi to 4.21.0.0 (exc)
codesys plcnext to 3.5.22.20 (exc)
codesys plcnext to 4.21.0.0 (exc)
codesys wago_touch_panels_600 to 3.5.22.20 (exc)
codesys wago_touch_panels_600 to 4.21.0.0 (exc)
codesys raspberry_pi to 3.5.22.20 (exc)
codesys raspberry_pi to 4.21.0.0 (exc)
codesys empc_a_imx6 to 3.5.22.20 (exc)
codesys empc_a_imx6 to 4.21.0.0 (exc)
codesys iot2000 to 3.5.22.20 (exc)
codesys iot2000 to 4.21.0.0 (exc)
codesys linux_arm to 3.5.22.20 (exc)
codesys linux_arm to 4.21.0.0 (exc)
codesys linux to 3.5.22.20 (exc)
codesys linux to 4.21.0.0 (exc)
codesys pfc100 to 3.5.22.20 (exc)
codesys pfc100 to 4.21.0.0 (exc)
codesys pfc200 to 3.5.22.20 (exc)
codesys pfc200 to 4.21.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the CODESYS Control runtime system where there is insufficient verification of authorization when deleting user accounts.

An authenticated remote user with low-privileged visualization administrator access can exploit this flaw to delete other user accounts, including those with higher privileges.

The issue arises due to inadequate authorization checks in the user management mechanism, although the system prevents deletion of the last remaining device admin user to avoid complete loss of administrative access.

Impact Analysis

Exploitation of this vulnerability allows an attacker to delete user accounts, including those with higher privileges.

This can lead to a persistent denial-of-service for legitimate users and cause login failures for communication clients.

Although the last device admin user cannot be deleted, the removal of other accounts can disrupt normal operations and user management.

Detection Guidance

This vulnerability affects systems where the optional visualization user management feature is enabled and a visualization administrator account has been configured.

Detection involves verifying if your CODESYS Control runtime system is running a vulnerable version below 3.5.22.20 or 4.21.0.0 depending on the product.

Since the vulnerability allows an authenticated low-privileged user to delete other user accounts, monitoring user account deletions or unexpected changes in user privileges in the system logs could help detect exploitation attempts.

No specific commands for detection are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update affected CODESYS Control products to fixed versions.

  • Update CODESYS Control RTE (SL), RTE (for Beckhoff CX) SL, Win (SL), HMI (SL), and Runtime Toolkit to version 3.5.22.20 or later.
  • For BeagleBone SL, emPC-A/iMX6 SL, IOT2000 SL, Linux ARM SL, Linux SL, PFC100 SL, PFC200 SL, PLCnext SL, Raspberry Pi SL, WAGO Touch Panels 600 SL, and Virtual Control SL, update to version 4.21.0.0 or later (expected in June 2026).

Updates can be obtained through the CODESYS Installer, CODESYS Store, or the CODESYS Update area.

Compliance Impact

The vulnerability allows an authenticated, low-privileged remote user to delete other user accounts, including those with higher privileges, due to insufficient authorization checks. This can lead to denial-of-service for legitimate users and potential login failures for communication clients.

Such unauthorized deletion of user accounts could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of user data and system integrity. The ability to delete privileged accounts without proper authorization may violate principles of least privilege and accountability, potentially leading to unauthorized access or disruption of critical systems.

However, the system does include protections to prevent deletion of the last remaining device admin user, which mitigates complete loss of administrative access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart