Share
## https://sploitus.com/exploit?id=1708D9B1-2243-5D33-9F4D-720F9031E878
# CVE-2026-31156
There is a path injection vulnerability in OpenPLC-v3, which arises from the program not performing any validity checks on the file path parameters passed in from the command line. Attackers can read any readable file by constructing malicious paths, posing a risk of information leakage.

## Vulnerability Type
- Improper Input Validation (Path Injection)

- Information Disclosure (Arbitrary File Read)

## Vulnerability Overview

The binary program compiled from glue_generator.cpp contains an arbitrary file read vulnerability caused by insufficient validation of user-supplied file paths.

An attacker can specify an arbitrary file as the input argument (e.g., /etc/passwd) when executing the program. The application subsequently reads the file line by line, parses the content, and directly prints the parsed data to the console using cout without performing any validation on:

- file path legitimacy,
- file content format,
- file access restrictions, or
- sensitive file protections.

As a result, attackers can read any file accessible to the privilege context of the running process, leading to sensitive information disclosure.

## Attack Prerequisites
1.The attacker is able to execute the vulnerable binary.

2.The running user account has read permission for the target file.
## Impact

Successful exploitation may disclose sensitive system information, including but not limited to:

- user account information,
- password hashes,
- configuration files,
- private keys,
- application secrets, and
- other confidential data.

This information may facilitate further privilege escalation or lateral movement.

## Technical Details

In `glue_generator.cpp`, the program uses two string arrays, `varName` and `varType`, to process and print parsed file contents to the command line.

During parsing, the program expects a specific line format:

```text
(,,
```
Specifically:

the content between `(` and the first `,` is assigned to `varType`;
the content between the first and second `,` is assigned to `varName`.

No validation is performed on the source file path or the legitimacy of the parsed data.

## Proof of Concept
Step 1: Create a Test File

Create a file named `test.txt` with the following content:
```text
(aaaaaaaa,123,
```
Step 2: Execute the Vulnerable Program

Run the following command:
```text
./glue_generator ./test.txt whatever.cpp
```
The program will parse the content and print the extracted values to the console.

Step 3: Arbitrary File Read

If an attacker can modify or control a sensitive file (for example /etc/passwd) to include data matching the required format:

```text
(aaaaaaaa,123,
```
the vulnerable program will parse and print the corresponding content from the file.

For sensitive files, any line matching the following pattern may be disclosed:

```text
(,,
```
The amount of leaked information depends on:

- the number of matching lines in the target file, and
- the structure of the file contents.

## Root Cause

The vulnerability is caused by:

1.Lack of validation for user-controlled file paths.

2.Unsafe parsing logic applied to arbitrary files.

3.Direct console output of parsed content without authorization checks.

4.Absence of restrictions on accessible file locations.

## Security Recommendations

To mitigate the vulnerability:

- Restrict input files to trusted directories.
- Validate and sanitize all user-supplied file paths.
- Prevent access to system-sensitive files.
- Implement strict file format verification before parsing.
- Apply the principle of least privilege to the running process.
- Avoid printing parsed sensitive data directly to standard output.