JWT Signature Validation Bypass in FactoryTalk® Services Platform by Rockwell Automation
CVE-2026-10714

8.8HIGH

What is CVE-2026-10714?

A security vulnerability within the FactoryTalk® Services Platform allows an attacker to bypass JWT signature validation during Okta Web Authentication. This issue arises because the application fails to properly enforce the expected JWT algorithm of RSA, allowing attackers to set the algorithm to 'none' and create forged tokens. As a result, an authenticated low-privilege user could impersonate authorized users on the FTSP server. This unauthorized access could lead to alterations in system configuration and the ability to grant permissions to protected systems, posing significant risks to security and operations.

Affected Version(s)

FactoryTalk® Services Platform Version 6.60

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.