Cyber Resilience

CVE-2026-35063

High

Published: 09 April 2026

Published
09 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35063 is a high-severity Missing Authorization (CWE-862) vulnerability in Openplcproject Openplc V3 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-35063 is a critical authorization flaw in the OpenPLC_V3 REST API endpoint. The endpoint checks only for the presence of a JSON Web Token (JWT) but fails to verify the caller's role, violating CWE-862 (Missing Authorization). This allows any authenticated user with the basic role=user to delete arbitrary users—including administrators—by specifying their user ID in the request, or to create new accounts assigned the role=admin, enabling privilege escalation to full administrative access.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity and low privileges required, without user interaction or scope changes. An attacker with valid user-level credentials can achieve complete compromise of the OpenPLC_V3 instance by elevating privileges or removing higher-privileged accounts, potentially disrupting industrial control systems relying on this PLC runtime.

Mitigation guidance is available in CISA ICS Advisory ICSA-25-345-10, accessible at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10. The vulnerability was published on 2026-04-09T20:16:25.833.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating…

more

to full administrator access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

Missing authorization in REST API allows low-priv authenticated users to create admin accounts (T1136/T1098) and delete users (T1531), directly enabling privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35556Same product: Openplcproject Openplc V3
CVE-2025-26377Shared CWE-862
CVE-2025-26368Shared CWE-862
CVE-2026-46425Shared CWE-862
CVE-2025-26370Shared CWE-862
CVE-2025-22611Shared CWE-862
CVE-2025-27583Shared CWE-862
CVE-2026-7802Shared CWE-862
CVE-2026-4261Shared CWE-862
CVE-2023-47179Shared CWE-862

Affected Assets

openplcproject
openplc v3 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing authenticated users from bypassing role checks to delete administrators or create admin accounts via the REST API.

prevent

Employs least privilege to restrict basic 'user' roles from performing administrative actions like user deletion or admin creation, comprehensively mitigating the privilege escalation vulnerability.

prevent

Manages accounts by establishing conditions for role membership and access authorizations, helping prevent exploitation through improper role assignments in the vulnerable API.

References