{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/opcenter-x--v2604/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-56451"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Opcenter X (\u003c V2604)"],"_cs_severities":["critical"],"_cs_tags":["cve","authentication-bypass","jwt","remote-code-execution","critical-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Siemens AG"],"content_html":"\u003cp\u003eA critical security vulnerability, identified as CVE-2026-56451, has been discovered in all versions of Siemens Opcenter X prior to V2604. This flaw originates from the application's failure to adequately validate the algorithm specified within the JSON Web Token (JWT) header during the authentication process. An unauthenticated remote attacker can exploit this weakness by crafting a malicious JWT where the algorithm is set to \u0026quot;none\u0026quot; or another insecure value, effectively bypassing the signature verification. Successful exploitation allows the attacker to forge arbitrary JWTs, impersonate any user, including administrative accounts, and gain full unauthorized access to the affected Opcenter X application. The vulnerability poses a severe risk, as it grants attackers complete control over the system without requiring any prior authentication or user interaction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies an accessible Siemens Opcenter X instance vulnerable to CVE-2026-56451.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON Web Token (JWT) intended for authentication with the Opcenter X application.\u003c/li\u003e\n\u003cli\u003eWithin the JWT header, the attacker manipulates the \u003ccode\u003ealg\u003c/code\u003e (algorithm) parameter, setting it to an insecure value such as \u0026quot;none\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker populates the JWT payload with claims, specifically the \u003ccode\u003esub\u003c/code\u003e (subject) claim, to impersonate a legitimate user, potentially an administrative account.\u003c/li\u003e\n\u003cli\u003eThe forged JWT, lacking a valid signature due to the \u0026quot;none\u0026quot; algorithm, is then submitted to the Opcenter X application's authentication endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the Opcenter X application improperly processes the JWT, failing to validate the integrity of the token's algorithm.\u003c/li\u003e\n\u003cli\u003eThe application grants the attacker unauthorized access, treating the forged JWT as valid and bestowing the privileges of the impersonated user.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full unauthorized access to the Opcenter X application, including administrative control and potentially sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-56451 results in a complete authentication bypass, granting unauthenticated remote attackers full control over the affected Siemens Opcenter X application. This includes the ability to impersonate any user, specifically administrative accounts, leading to unauthorized modification, deletion, or exfiltration of sensitive data, disruption of operations, and potentially further compromise of connected systems. Given the CVSSv3.1 score of 10.0, the impact is considered critical, presenting the highest risk of confidentiality, integrity, and availability compromise without any user interaction or prior authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Siemens Opcenter X installations to version V2604 or later to remediate CVE-2026-56451.\u003c/li\u003e\n\u003cli\u003eMonitor authentication logs for Siemens Opcenter X for any anomalous login attempts or successful authentications from unknown sources or highly privileged accounts.\u003c/li\u003e\n\u003cli\u003eImplement Web Application Firewall (WAF) rules to detect and potentially block HTTP requests containing JWTs with known insecure \u003ccode\u003ealg\u003c/code\u003e parameters if possible, prior to reaching the application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T10:18:21Z","date_published":"2026-07-14T10:18:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-opcenter-x-jwt-bypass/","summary":"A critical vulnerability, CVE-2026-56451, in Siemens Opcenter X versions prior to V2604 allows unauthenticated remote attackers to forge arbitrary JSON Web Tokens (JWTs) due to improper algorithm validation, leading to full authentication bypass, user impersonation including administrative accounts, and complete unauthorized access to the application.","title":"Critical JWT Authentication Bypass in Siemens Opcenter X (CVE-2026-56451)","url":"https://feed.craftedsignal.io/briefs/2026-07-opcenter-x-jwt-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Opcenter X (\u003c V2604)","version":"https://jsonfeed.org/version/1.1"}