CVE-2026-8046
Authorization Bypass in User Account Deletion
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codesys | control | to 3.5.22.20 (exc) |
| codesys | control | to 4.21.0.0 (exc) |
| codesys | control_rte | to 3.5.22.20 (exc) |
| codesys | control_rte | to 4.21.0.0 (exc) |
| codesys | runtime_toolkit | to 3.5.22.20 (exc) |
| codesys | runtime_toolkit | to 4.21.0.0 (exc) |
| codesys | hmi | to 3.5.22.20 (exc) |
| codesys | hmi | to 4.21.0.0 (exc) |
| codesys | plcnext | to 3.5.22.20 (exc) |
| codesys | plcnext | to 4.21.0.0 (exc) |
| codesys | wago_touch_panels_600 | to 3.5.22.20 (exc) |
| codesys | wago_touch_panels_600 | to 4.21.0.0 (exc) |
| codesys | raspberry_pi | to 3.5.22.20 (exc) |
| codesys | raspberry_pi | to 4.21.0.0 (exc) |
| codesys | empc_a_imx6 | to 3.5.22.20 (exc) |
| codesys | empc_a_imx6 | to 4.21.0.0 (exc) |
| codesys | iot2000 | to 3.5.22.20 (exc) |
| codesys | iot2000 | to 4.21.0.0 (exc) |
| codesys | linux_arm | to 3.5.22.20 (exc) |
| codesys | linux_arm | to 4.21.0.0 (exc) |
| codesys | linux | to 3.5.22.20 (exc) |
| codesys | linux | to 4.21.0.0 (exc) |
| codesys | pfc100 | to 3.5.22.20 (exc) |
| codesys | pfc100 | to 4.21.0.0 (exc) |
| codesys | pfc200 | to 3.5.22.20 (exc) |
| codesys | pfc200 | to 4.21.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the CODESYS Control runtime system where there is insufficient verification of authorization when deleting user accounts.
An authenticated remote user with low-privileged visualization administrator access can exploit this flaw to delete other user accounts, including those with higher privileges.
The issue arises due to inadequate authorization checks in the user management mechanism, although the system prevents deletion of the last remaining device admin user to avoid complete loss of administrative access.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to delete user accounts, including those with higher privileges.
This can lead to a persistent denial-of-service for legitimate users and cause login failures for communication clients.
Although the last device admin user cannot be deleted, the removal of other accounts can disrupt normal operations and user management.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects systems where the optional visualization user management feature is enabled and a visualization administrator account has been configured.
Detection involves verifying if your CODESYS Control runtime system is running a vulnerable version below 3.5.22.20 or 4.21.0.0 depending on the product.
Since the vulnerability allows an authenticated low-privileged user to delete other user accounts, monitoring user account deletions or unexpected changes in user privileges in the system logs could help detect exploitation attempts.
No specific commands for detection are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update affected CODESYS Control products to fixed versions.
- Update CODESYS Control RTE (SL), RTE (for Beckhoff CX) SL, Win (SL), HMI (SL), and Runtime Toolkit to version 3.5.22.20 or later.
- For BeagleBone SL, emPC-A/iMX6 SL, IOT2000 SL, Linux ARM SL, Linux SL, PFC100 SL, PFC200 SL, PLCnext SL, Raspberry Pi SL, WAGO Touch Panels 600 SL, and Virtual Control SL, update to version 4.21.0.0 or later (expected in June 2026).
Updates can be obtained through the CODESYS Installer, CODESYS Store, or the CODESYS Update area.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated, low-privileged remote user to delete other user accounts, including those with higher privileges, due to insufficient authorization checks. This can lead to denial-of-service for legitimate users and potential login failures for communication clients.
Such unauthorized deletion of user accounts could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of user data and system integrity. The ability to delete privileged accounts without proper authorization may violate principles of least privilege and accountability, potentially leading to unauthorized access or disruption of critical systems.
However, the system does include protections to prevent deletion of the last remaining device admin user, which mitigates complete loss of administrative access.