CVE-2026-35063
Published: 09 April 2026
Summary
CVE-2026-35063 is a high-severity Missing Authorization (CWE-862) vulnerability in Openplcproject Openplc V3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing authenticated users from bypassing role checks to delete administrators or create admin accounts via the REST API.
Employs least privilege to restrict basic 'user' roles from performing administrative actions like user deletion or admin creation, comprehensively mitigating the privilege escalation vulnerability.
Manages accounts by establishing conditions for role membership and access authorizations, helping prevent exploitation through improper role assignments in the vulnerable API.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in REST API allows low-priv authenticated users to create admin accounts (T1136/T1098) and delete users (T1531), directly enabling privilege escalation (T1068).
NVD Description
OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating…
more
to full administrator access.
Deeper analysisAI
CVE-2026-35063 is a critical authorization flaw in the OpenPLC_V3 REST API endpoint. The endpoint checks only for the presence of a JSON Web Token (JWT) but fails to verify the caller's role, violating CWE-862 (Missing Authorization). This allows any authenticated user with the basic role=user to delete arbitrary users—including administrators—by specifying their user ID in the request, or to create new accounts assigned the role=admin, enabling privilege escalation to full administrative access.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity and low privileges required, without user interaction or scope changes. An attacker with valid user-level credentials can achieve complete compromise of the OpenPLC_V3 instance by elevating privileges or removing higher-privileged accounts, potentially disrupting industrial control systems relying on this PLC runtime.
Mitigation guidance is available in CISA ICS Advisory ICSA-25-345-10, accessible at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10. The vulnerability was published on 2026-04-09T20:16:25.833.
Details
- CWE(s)