Back to overview

CODESYS Visualization - Insufficiently Protected Credentials

VDE-2026-052
Last update
05/21/2026 12:00
Published at
05/21/2026 12:00
Vendor(s)
CODESYS GmbH
External ID
Advisory2026-07_VDE-2026-052
CSAF Document
Download

Summary

A vulnerability in the CODESYS Visualization login dialog has been identified. During logins within the CODESYS Visualization, authentication data may not be sufficiently isolated when multiple users perform login operations concurrently.

As a result, an authenticated visualization user may be able to obtain credentials entered by another visualization user. The issue affects only login operations within an active visualization session and can be triggered via local and remote access to the visualization.

Impact

Exploitation of this vulnerability may allow an authenticated remote visualization user to obtain credentials entered by another visualization user, potentially with higher privileges.

Affected Product(s)

Model no. Product name Affected versions
CODESYS Visualization vers:generic/<4.10.0.0

Vulnerabilities

Expand / Collapse all

Published
05/21/2026 10:00
Severity
5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Weakness
Insufficiently Protected Credentials (CWE-522)
Summary

The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session.

References
cve.org | nvd.nist.gov

Mitigation

Two alternative mitigation options have been identified.
One option is to avoid using the Input Action "User Management -> Login" for changing users within an active visualization session. Instead, use the Input Action "User Management -> Logout" to do a complete logout followed by a new Login to the Visualization to re-login with another user.
Alternatively, property handling within the visualization can be disabled via Project Settings -> Visualization -> General -> Advanced -> "Activate property handling in all element properties", if this is not required for the compilation of the application.

Remediation

Update the following product to version 4.10.0.0.
* CODESYS Visualization

For existing affected CODESYS projects that include a visualization, the fix takes effect only after recompiling the application and performing a new download to the HMI or PLC.

The CODESYS Development System and the products available as CODESYS add-ons can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. Alternatively, as well as for all other products, you will find further information on obtaining the software update in the CODESYS Update area https://www.codesys.com/download/.

Acknowledgments

CODESYS GmbH thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 05/21/2026 12:00 Initial revision.