Security Advisory

CVE-2026-35063

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-09 19:00:09

Last updated 2026-04-10 18:04:45

Assigner icscert

State PUBLISHED

Description

OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the callers role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.

← Browse all CVEs View on cve.org ↗