A critical algorithm-confusion flaw in Siemens Opcenter X lets unauthenticated remote attackers forge JWTs and impersonate any user, including administrators, earning a maximum CVSS score of 10.0.
What Is It
CVE-2026-56451 is an authentication bypass in Siemens Opcenter X. According to the NVD record, affected applications "do not properly validate the algorithm specified in the JSON Web Token (JWT) header." This weakness is classified as CWE-347 (Improper Verification of Cryptographic Signature). Because the application trusts the algorithm declared in the token header, an attacker can forge arbitrary JWTs and defeat the authentication layer entirely.
Why It Matters
This vulnerability carries a CVSS 3.1 base score of 10.0 (CRITICAL) with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. It is remotely exploitable over the network, requires low attack complexity, and needs no privileges or user interaction. A successful attacker can "bypass authentication mechanisms and impersonate any user including administrative accounts, potentially gaining full unauthorized access to the application." The scope is marked as Changed, reflecting impact beyond the vulnerable component itself. A parallel CVSS 4.0 assessment also rates it 10.0.
What's Vulnerable
The affected product is Siemens Opcenter X, all versions prior to V2604. No specific CPE configurations are enumerated in the supplied NVD data beyond this version boundary.
Patch Status
The version data indicates the flaw is resolved in V2604 and later, so upgrading to at least V2604 is the remediation path implied by the affected-version range. Siemens has published advisory SSA-096828 through its ProductCERT portal (linked below); administrators should consult it for authoritative fix and mitigation guidance. The supplied source material does not include a CISA KEV entry, so there is no confirmation of active exploitation at this time.
Sources
- NVD, CVE-2026-56451: https://nvd.nist.gov/vuln/detail/CVE-2026-56451
- Siemens ProductCERT Advisory SSA-096828: https://cert-portal.siemens.com/productcert/html/ssa-096828.html