ACCORDING to ABB PSIRT, ABB became aware of a vulnerability in ABB B&R PVI, with an update now available to address it. The affected product versions are PVI <6.5.0, 6.5.0 and the vulnerability is CVE-2026-0936, which could allow an authenticated local attacker to read sensitive information from the PVI client’s logging data, though logging is disabled by default.
The advisory notes a CVSS v3.1 base score of 5 (medium) and specifies that the issue is limited to the PVI client-side logging and does not affect the PVI server logging. Remediation involves updating to PVI 6.5.0, with ABB recommending applying the update at earliest convenience and following the user-manual steps to identify the installed version.
Mitigations also emphasise limiting logging to troubleshooting needs and securely deleting log data when no longer required, while ensuring only the respective user has access to log directories. The advisory was republished by CISA on 5 May 2026.