The GPL Odorizers GPL750 (XL4) device version 1.0 contains a vulnerability (CVE-2026-4436) where an unauthenticated remote attacker can send Modbus protocol packets to alter register values that serve as inputs to the odorant injection logic. This can result in injecting either too much or too little odorant into a gas line. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS 3.1 base score of 8.6, indicating high severity. The attack vector is network-based with no required privileges or user interaction, and the impact is high on integrity but no confidentiality or availability impact is noted. No patch or official remediation guidance is currently available from the vendor, and no exploits are known in the wild.

An attacker can remotely manipulate the amount of odorant injected into a gas line by sending crafted Modbus packets without authentication. This could lead to safety risks due to improper odorant levels, potentially causing hazardous conditions if gas leaks are not properly detected or if odorant levels are dangerously high. The integrity of the odorant injection control is compromised, but confidentiality and availability are not affected according to the CVSS vector. No known exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently available, organizations should consider restricting network access to the affected device, implementing network segmentation, and monitoring Modbus traffic for unauthorized commands as interim protective measures until a vendor patch or official guidance is released.