...
Grid Protection Alliance
Grid Solutions Division

Potential Vulnerabilities in openPDC and openHistorian Docker Containers

July 2026
Vulnerability
...

Date Published: July 3, 2026

Affects: Containerized deployments of openPDC and openHistorian using the published docker images

Severity: Advisory

Overview

Several potential vulnerabilities have been identified in the published openPDC and openHistorian docker images. These do NOT affect openPDC and openHistorian installation deployed on Windows or Windows Server Operating Systems. These images are maintained by GPA for internal testing, external testing and education only. The docker images are configured and build to allow quick and simple deployments and are not configured to be secure. Use of these images for anything but development is strongly discouraged.

Potential Vulnerability Details

The images ship with default credentials and do not force a change. These admin credentials can be overridden via environmental configuration, but the change is not required, and if not configured, the system will allow administrative access with the default credentials.

Several previously published vulnerabilities including XSS Scripting and Arbritrary File Write are still present in the docker images. These have been addressed in the applications but not updated in the published docker image.

Impact

If successfully exploited, an attacker could:

Execute arbitrary commands as root inside the container.

Mitigation/Remediation

GPA does not recommend use of the docker image. These are published for educational use only and should not be used in production. GPA recommends production systems are installed on appropriate infrastructure and officially supported operating systems (Windows and Windows Server).

GPA recommends review of all configuration when deploying openPDC or openHistorian to production environments. This includes changing or disabling all defaults accounts if applicable. GPA recommends the use of standard industry practices regarding review of default configuration and follows standard industry practice for providing documentation for all standard configurations.

Disclaimer

The information provided in this advisory is provided "as is" and does not guarantee the security of systems. We strongly recommend that users apply patches as soon as they are available and follow best practices for securing systems against known vulnerabilities.