Article - CS466565
Workarounds for Critical Windchill and FlexPLM RCE Vulnerability (CVE-2026-4681) in Out of Support Releases
Modified: 26-Mar-2026
Applies To
- Windchill PDMLink 9.0 to 10.2
- FlexPLM 9.0 to 10.2
- Apache HTTP Server 2.0-2.2
Description
- Workarounds for Critical RCE Vulnerability in Windchill and FlexPLM Out of Support Releases
- For details related to this Critical RCE vulnerability refer to:
- CS466318 (main article; provides guidance and actions required for Windchill and FLexPLM releases 11.0 and above)
- CVE-2026-4681
- CWE - CWE-94: Improper Control of Generation of Code ('Code Injection') (4.19.1)
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
- CVSS v3.1 Base Score: 10.0 (Critical)
- CVSS v4 Base Score: 9.3 (Critical)
- For Windchill and FlexPLM releases prior to 11.0 PTC's primary recommendation remains that you should disconnect your system from the public Internet until you are able to upgrade to a release where the workaround and future product fixes will be made available.
This is a printer-friendly version of Article 466565 and may be out of date. For the latest version click CS466565