CVE-2026-35063 OpenPLC_V3 CVE debrief

Who should care

Organizations operating OpenPLC_v3 in industrial control system environments, OT security teams, and asset owners managing programmable logic controller deployments.

Technical summary

The OpenPLC_V3 REST API endpoint performs JWT presence validation but omits role verification. An authenticated attacker with standard user privileges can manipulate user management endpoints to delete arbitrary accounts or create new administrative accounts, resulting in complete system compromise. The vulnerability is classified under CWE-862 (Missing Authorization).

Defensive priority

HIGH

Recommended defensive actions

• Migrate from OpenPLC_v3 to OpenPLC Runtime v4 as OpenPLC_v3 is end-of-life
• Implement network segmentation to restrict REST API access to authorized management hosts
• Review and audit all user accounts for unauthorized administrative privileges
• Apply principle of least privilege to API authentication and authorization layers
• Monitor API access logs for anomalous user creation or deletion events

Evidence notes

Vulnerability description and remediation guidance sourced from CISA CSAF advisory ICSA-25-345-10. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirmed in source. CWE-862 (Missing Authorization) referenced in advisory.

Official resources