<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Opcenter X (&lt; V2604) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/opcenter-x--v2604/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 10:18:21 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/opcenter-x--v2604/feed.xml" rel="self" type="application/rss+xml"/><item><title>Critical JWT Authentication Bypass in Siemens Opcenter X (CVE-2026-56451)</title><link>https://feed.craftedsignal.io/briefs/2026-07-opcenter-x-jwt-bypass/</link><pubDate>Tue, 14 Jul 2026 10:18:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-opcenter-x-jwt-bypass/</guid><description>A critical vulnerability, CVE-2026-56451, in Siemens Opcenter X versions prior to V2604 allows unauthenticated remote attackers to forge arbitrary JSON Web Tokens (JWTs) due to improper algorithm validation, leading to full authentication bypass, user impersonation including administrative accounts, and complete unauthorized access to the application.</description><content:encoded><![CDATA[<p>A critical security vulnerability, identified as CVE-2026-56451, has been discovered in all versions of Siemens Opcenter X prior to V2604. This flaw originates from the application's failure to adequately validate the algorithm specified within the JSON Web Token (JWT) header during the authentication process. An unauthenticated remote attacker can exploit this weakness by crafting a malicious JWT where the algorithm is set to &quot;none&quot; or another insecure value, effectively bypassing the signature verification. Successful exploitation allows the attacker to forge arbitrary JWTs, impersonate any user, including administrative accounts, and gain full unauthorized access to the affected Opcenter X application. The vulnerability poses a severe risk, as it grants attackers complete control over the system without requiring any prior authentication or user interaction.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker identifies an accessible Siemens Opcenter X instance vulnerable to CVE-2026-56451.</li>
<li>The attacker crafts a malicious JSON Web Token (JWT) intended for authentication with the Opcenter X application.</li>
<li>Within the JWT header, the attacker manipulates the <code>alg</code> (algorithm) parameter, setting it to an insecure value such as &quot;none&quot;.</li>
<li>The attacker populates the JWT payload with claims, specifically the <code>sub</code> (subject) claim, to impersonate a legitimate user, potentially an administrative account.</li>
<li>The forged JWT, lacking a valid signature due to the &quot;none&quot; algorithm, is then submitted to the Opcenter X application's authentication endpoint.</li>
<li>Due to the vulnerability, the Opcenter X application improperly processes the JWT, failing to validate the integrity of the token's algorithm.</li>
<li>The application grants the attacker unauthorized access, treating the forged JWT as valid and bestowing the privileges of the impersonated user.</li>
<li>The attacker achieves full unauthorized access to the Opcenter X application, including administrative control and potentially sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-56451 results in a complete authentication bypass, granting unauthenticated remote attackers full control over the affected Siemens Opcenter X application. This includes the ability to impersonate any user, specifically administrative accounts, leading to unauthorized modification, deletion, or exfiltration of sensitive data, disruption of operations, and potentially further compromise of connected systems. Given the CVSSv3.1 score of 10.0, the impact is considered critical, presenting the highest risk of confidentiality, integrity, and availability compromise without any user interaction or prior authorization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch Siemens Opcenter X installations to version V2604 or later to remediate CVE-2026-56451.</li>
<li>Monitor authentication logs for Siemens Opcenter X for any anomalous login attempts or successful authentications from unknown sources or highly privileged accounts.</li>
<li>Implement Web Application Firewall (WAF) rules to detect and potentially block HTTP requests containing JWTs with known insecure <code>alg</code> parameters if possible, prior to reaching the application.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cve</category><category>authentication-bypass</category><category>jwt</category><category>remote-code-execution</category><category>critical-vulnerability</category></item></channel></rss>