CVE-2026-35063

Name of the Vulnerable Software and Affected Versions OpenPLC V3 (affected versions not specified)

Description The OpenPLC V3 REST API endpoint does not verify the caller's role after confirming the presence of a JWT. An authenticated user with the 'user' role can delete any user, including administrators, by providing the target user's ID. Additionally, users can create new accounts with the 'admin' role, leading to full administrator access. The API endpoint in question does not properly enforce authorization checks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.