2026-04-09 19:00:09
icscert
PUBLISHED
OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the callers role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.