CVE-2026-31156 OpenPLC Project CVE debrief

Who should care

Organizations running OpenPLC v3 firmware version 2024-03-09 or earlier, particularly in industrial control system (ICS) environments where OpenPLC is deployed for programmable logic controller functionality. Security teams responsible for OT/ICS infrastructure, system administrators managing OpenPLC deployments, and developers maintaining OpenPLC forks or custom builds.

Technical summary

The glue_generator.cpp component in OpenPLC v3 fails to validate file path parameters supplied via command-line arguments before passing them to fopen, ifstream, and ofstream operations. This allows an attacker to inject path traversal sequences and read arbitrary files readable by the process. The vulnerability requires local access with low privileges and has been assigned CVSS 3.1 score 6.5 (MEDIUM).

Defensive priority

medium

Recommended defensive actions

• Validate and sanitize all file path inputs in glue_generator.cpp before passing to file operation functions
• Implement path canonicalization to resolve symbolic links and directory traversal sequences
• Restrict file access to intended directories using chroot or similar containment mechanisms
• Apply principle of least privilege to the glue_generator binary execution context
• Monitor for anomalous file access patterns from OpenPLC processes
• Review and update to patched version when available from vendor

Evidence notes

CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) identified in NVD record. Affected product confirmed as OpenPLC v3 firmware version 2024-03-09 per CPE criteria. Third-party exploit reference published to GitHub.

Official resources