Authentication Bypass in OpenPLC V3 Affected by Insufficient Role Verification
CVE-2026-35063

8.7HIGH

Key Information:

Vendor: Openplc V3
Status: Openplc V3
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-35063?

The OpenPLC V3 REST API is vulnerable due to insufficient verification of user roles. Authenticated users with a 'user' role can exploit this flaw to delete other users, including those with administrative privileges, by simply knowing their user IDs. Additionally, these users can create new accounts and assign them administrative roles, granting themselves and others full control over the system. This vulnerability poses a serious risk to system integrity and user data security.

Affected Version(s)

OpenPLC_V3 All versions

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-3...

government-resource

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 6, 2026

Credit

Arad Inbar, Nir Somech, Ben Grinberg, Daniel Lubel, Erez Cohen, and Adiel Sol from DREAM

CVE-2026-35063 Data

JSON

Openplc V3

What is CVE-2026-35063?

Affected Version(s)

References

CVSS V4

Timeline

Credit