CVE-2026-8604

Vulnerability

ScadaBR version 1.2.0 contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. The application does not implement anti-CSRF tokens or other mechanisms to verify that authenticated requests originate from the user's intended actions. This allows an attacker to forge requests that mimic any action a legitimate authenticated user can perform. Affected product: ScadaBR version 1.2.0 [1].

Exploitation

An attacker must send a crafted link or host a malicious webpage that, when visited by a logged-in ScadaBR user, triggers an HTTP request to the ScadaBR server [1]. The request will include the user's session cookie and execute any authenticated action the user is authorized to perform. The attacker does not need special network access beyond luring the victim to the page; no user interaction beyond visiting the page is required [1].

Impact

Successful exploitation allows the attacker to trigger any authenticated action on the victim's behalf, including creating, modifying, or deleting configuration data, sensor readings, or user accounts [1]. The impact depends on the privileges of the victim user but could lead to full compromise of the ScadaBR instance, including disruption of industrial control operations [1].

Mitigation

No fix or patched version has been released as of the publication date (2026-05-19) [1]. Users should monitor the ScadaBR project for an update. As a workaround, users can restrict access to the ScadaBR web interface via network segmentation and ensure that operators do not browse untrusted websites while logged in. The CISA advisory recommends implementing anti-CSRF tokens in the application [1].