CVE-2026-6901
Received Received - Intake

Untrusted Search Path in B&R APROL

Vulnerability report for CVE-2026-6901, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Asea Brown Boveri Ltd. (ABB)

Description

Untrusted Search Path vulnerability in B&R Industrial Automation GmbH APROL. This issue affects APROL: before R 4.4-01P5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
b&r_industrial_automation_gmbh aprol to 4.4-01P5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to update APROL to version R 4.4-01P5 or later, where this vulnerability is resolved.

As a workaround before applying the update, administrators should remove or replace all wildcard AliasMatch directives in the Apache configuration file with explicit aliases that reference specific APROL system and project names.

This reduces the risk of path traversal attacks that exploit the untrusted search path.

Executive Summary

CVE-2026-6901 is an Untrusted Search Path vulnerability found in the webserver component of B&R Industrial Automation GmbH's APROL software versions prior to R 4.4-01P5.

This vulnerability allows authenticated local attackers to elevate their privileges by exploiting an untrusted search path in the system.

Essentially, attackers can gain higher access levels than intended by taking advantage of how the system searches for executable files or libraries, potentially compromising system integrity.

Impact Analysis

This vulnerability can lead to privilege escalation, allowing an authenticated local attacker to gain higher access rights than they should have.

Such elevated privileges could compromise the integrity of the system, potentially allowing unauthorized actions or access to sensitive components.

Detection Guidance

This vulnerability is related to an untrusted search path in the webserver component of APROL versions prior to R 4.4-01P5, which can be exploited by authenticated local attackers.

To detect the vulnerability, administrators should check the Apache configuration files for the presence of wildcard AliasMatch directives, which are a key factor in the vulnerability.

Suggested commands include searching for AliasMatch directives in Apache configuration files, for example:

  • grep -r AliasMatch /etc/apache2/ or /etc/httpd/ (depending on your system) to find wildcard AliasMatch directives.
  • Verify the APROL version installed to confirm if it is prior to R 4.4-01P5.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart