Platform
other
Component
openplc-v3
Fixed in
3.0.1
CVE-2026-35063 describes a critical privilege escalation vulnerability within the OpenPLC_V3 REST API. The API endpoint responsible for user management fails to properly verify user roles, allowing lower-privileged users to manipulate administrator accounts. This flaw impacts versions 1.0.0 and all preceding releases, enabling unauthorized access and control. A fix is available in version 3.0.1.
This vulnerability presents a significant risk to OpenPLCV3 deployments. An attacker, successfully authenticated with a standard user account (role=user), can exploit this flaw to delete existing administrator accounts, effectively locking out legitimate administrators. More critically, they can create new accounts with elevated privileges (role=admin), granting themselves complete control over the PLC system. This could lead to unauthorized modifications of PLC programs, manipulation of industrial processes, and potentially catastrophic consequences depending on the PLC's role in the overall system. The blast radius extends to any system reliant on the compromised OpenPLCV3 instance.
CVE-2026-35063 was publicly disclosed on 2026-04-09. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the vulnerability's ease of exploitation suggests it could become a target for opportunistic attackers. The vulnerability's impact is high due to the potential for complete system compromise.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35063 is to immediately upgrade OpenPLCV3 to version 3.0.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing temporary workarounds. While not a complete solution, restricting network access to the OpenPLCV3 REST API to trusted sources can limit the potential attack surface. Carefully review user roles and permissions within the system to ensure the principle of least privilege is enforced. Monitor user activity logs for suspicious actions, particularly account creation or deletion events. There are no specific Sigma or YARA rules readily available for this vulnerability, but generic rules for detecting unusual user account management activity should be implemented.
Update OpenPLC_V3 to version 3.0.1 or later to mitigate the vulnerability. This update implements role verification in the REST API endpoint, preventing privilege escalation and user account manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35063 is a vulnerability in OpenPLC_V3 where authenticated users can escalate privileges to administrator level by deleting or creating accounts.
Yes, if you are running OpenPLC_V3 versions 1.0.0 or earlier, you are affected by this privilege escalation vulnerability.
Upgrade OpenPLC_V3 to version 3.0.1 or later to resolve the vulnerability. Consider temporary workarounds like restricting network access if an immediate upgrade is not possible.
There is currently no evidence of active exploitation in the wild, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the official OpenPLC documentation and security advisories on their website for the latest information and updates regarding CVE-2026-35063.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.