SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-56451 2026-07-14

CVE-2026-56451: Critical JWT Authentication Bypass in Siemens Opcenter X

"A critical algorithm-confusion flaw in Siemens Opcenter X lets unauthenticated remote attackers forge JWTs and impersonate any user, including administrators, earning a maximum CVSS score of 10.0."

A critical algorithm-confusion flaw in Siemens Opcenter X lets unauthenticated remote attackers forge JWTs and impersonate any user, including administrators, earning a maximum CVSS score of 10.0.

What Is It

CVE-2026-56451 is an authentication bypass in Siemens Opcenter X. According to the NVD record, affected applications "do not properly validate the algorithm specified in the JSON Web Token (JWT) header." This weakness is classified as CWE-347 (Improper Verification of Cryptographic Signature). Because the application trusts the algorithm declared in the token header, an attacker can forge arbitrary JWTs and defeat the authentication layer entirely.

Why It Matters

This vulnerability carries a CVSS 3.1 base score of 10.0 (CRITICAL) with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. It is remotely exploitable over the network, requires low attack complexity, and needs no privileges or user interaction. A successful attacker can "bypass authentication mechanisms and impersonate any user including administrative accounts, potentially gaining full unauthorized access to the application." The scope is marked as Changed, reflecting impact beyond the vulnerable component itself. A parallel CVSS 4.0 assessment also rates it 10.0.

What's Vulnerable

The affected product is Siemens Opcenter X, all versions prior to V2604. No specific CPE configurations are enumerated in the supplied NVD data beyond this version boundary.

Patch Status

The version data indicates the flaw is resolved in V2604 and later, so upgrading to at least V2604 is the remediation path implied by the affected-version range. Siemens has published advisory SSA-096828 through its ProductCERT portal (linked below); administrators should consult it for authoritative fix and mitigation guidance. The supplied source material does not include a CISA KEV entry, so there is no confirmation of active exploitation at this time.

Sources