Search criteria
9 vulnerabilities found for openremote by openremote
CVE-2026-41166 (GCVE-0-2026-41166)
Vulnerability from nvd – Published: 2026-04-22 20:31 – Updated: 2026-04-28 03:55
VLAI
Title
OpenRemote has Improper Access Control via updateUserRealmRoles function
Summary
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/security… | x_refsource_CONFIRM |
| https://github.com/openremote/openremote/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openremote | openremote |
Affected:
< 1.22.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41166",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T03:55:21.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openremote",
"vendor": "openremote",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:31:29.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"
},
{
"name": "https://github.com/openremote/openremote/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openremote/openremote/releases/tag/1.22.1"
}
],
"source": {
"advisory": "GHSA-49vv-25qx-mg44",
"discovery": "UNKNOWN"
},
"title": "OpenRemote has Improper Access Control via updateUserRealmRoles function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41166",
"datePublished": "2026-04-22T20:31:29.234Z",
"dateReserved": "2026-04-17T16:34:45.525Z",
"dateUpdated": "2026-04-28T03:55:21.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40882 (GCVE-0-2026-40882)
Vulnerability from nvd – Published: 2026-04-22 20:33 – Updated: 2026-04-23 13:47
VLAI
Title
OpenRemote has XXE in Velbus Asset Import
Summary
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.
Severity
7.6 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openremote | openremote |
Affected:
< 1.22.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40882",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:46:44.026868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:47:07.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openremote",
"vendor": "openremote",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:33:23.304Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
}
],
"source": {
"advisory": "GHSA-g24f-mgc3-jwwc",
"discovery": "UNKNOWN"
},
"title": "OpenRemote has XXE in Velbus Asset Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40882",
"datePublished": "2026-04-22T20:33:23.304Z",
"dateReserved": "2026-04-15T15:57:41.719Z",
"dateUpdated": "2026-04-23T13:47:07.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39842 (GCVE-0-2026-39842)
Vulnerability from nvd – Published: 2026-04-14 23:21 – Updated: 2026-04-16 13:58
VLAI
Title
OpenRemote is Vulnerable to Expression Injection
Summary
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0.
Severity
10 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/security… | x_refsource_CONFIRM |
| https://github.com/openremote/openremote/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openremote | openremote |
Affected:
< 1.22.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39842",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T13:58:20.241436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T13:58:42.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openremote",
"vendor": "openremote",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn\u0027s ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T23:21:22.242Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openremote/openremote/security/advisories/GHSA-7mqr-33rv-p3mp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-7mqr-33rv-p3mp"
},
{
"name": "https://github.com/openremote/openremote/releases/tag/1.22.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openremote/openremote/releases/tag/1.22.0"
}
],
"source": {
"advisory": "GHSA-7mqr-33rv-p3mp",
"discovery": "UNKNOWN"
},
"title": "OpenRemote is Vulnerable to Expression Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39842",
"datePublished": "2026-04-14T23:21:22.242Z",
"dateReserved": "2026-04-07T19:13:20.377Z",
"dateUpdated": "2026-04-16T13:58:42.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31860 (GCVE-0-2022-31860)
Vulnerability from nvd – Published: 2022-09-06 17:50 – Updated: 2025-06-12 13:54
VLAI
Summary
An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule.
Severity
9.8 (Critical)
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/ | x_refsource_MISC |
| https://stackoverflow.com/questions/159148/groovy… | x_refsource_MISC |
| https://stackoverflow.com/questions/66069960/groo… | x_refsource_MISC |
| https://securityblog101.blogspot.com/2022/09/cve-… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openremote/openremote/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-31860",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T13:54:32.930583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T13:54:37.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-06T17:50:24.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openremote/openremote/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31860",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/openremote/openremote/",
"refsource": "MISC",
"url": "https://github.com/openremote/openremote/"
},
{
"name": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands",
"refsource": "MISC",
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"name": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices",
"refsource": "MISC",
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
},
{
"name": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html",
"refsource": "MISC",
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31860",
"datePublished": "2022-09-06T17:50:24.000Z",
"dateReserved": "2022-05-31T00:00:00.000Z",
"dateUpdated": "2025-06-12T13:54:37.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-40882 (GCVE-0-2026-40882)
Vulnerability from cvelistv5 – Published: 2026-04-22 20:33 – Updated: 2026-04-23 13:47
VLAI
Title
OpenRemote has XXE in Velbus Asset Import
Summary
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.
Severity
7.6 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openremote | openremote |
Affected:
< 1.22.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40882",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:46:44.026868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:47:07.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openremote",
"vendor": "openremote",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:33:23.304Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
}
],
"source": {
"advisory": "GHSA-g24f-mgc3-jwwc",
"discovery": "UNKNOWN"
},
"title": "OpenRemote has XXE in Velbus Asset Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40882",
"datePublished": "2026-04-22T20:33:23.304Z",
"dateReserved": "2026-04-15T15:57:41.719Z",
"dateUpdated": "2026-04-23T13:47:07.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41166 (GCVE-0-2026-41166)
Vulnerability from cvelistv5 – Published: 2026-04-22 20:31 – Updated: 2026-04-28 03:55
VLAI
Title
OpenRemote has Improper Access Control via updateUserRealmRoles function
Summary
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/security… | x_refsource_CONFIRM |
| https://github.com/openremote/openremote/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openremote | openremote |
Affected:
< 1.22.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41166",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T03:55:21.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openremote",
"vendor": "openremote",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:31:29.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"
},
{
"name": "https://github.com/openremote/openremote/releases/tag/1.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openremote/openremote/releases/tag/1.22.1"
}
],
"source": {
"advisory": "GHSA-49vv-25qx-mg44",
"discovery": "UNKNOWN"
},
"title": "OpenRemote has Improper Access Control via updateUserRealmRoles function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41166",
"datePublished": "2026-04-22T20:31:29.234Z",
"dateReserved": "2026-04-17T16:34:45.525Z",
"dateUpdated": "2026-04-28T03:55:21.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39842 (GCVE-0-2026-39842)
Vulnerability from cvelistv5 – Published: 2026-04-14 23:21 – Updated: 2026-04-16 13:58
VLAI
Title
OpenRemote is Vulnerable to Expression Injection
Summary
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0.
Severity
10 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/security… | x_refsource_CONFIRM |
| https://github.com/openremote/openremote/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openremote | openremote |
Affected:
< 1.22.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39842",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T13:58:20.241436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T13:58:42.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openremote",
"vendor": "openremote",
"versions": [
{
"status": "affected",
"version": "\u003c 1.22.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn\u0027s ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T23:21:22.242Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openremote/openremote/security/advisories/GHSA-7mqr-33rv-p3mp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-7mqr-33rv-p3mp"
},
{
"name": "https://github.com/openremote/openremote/releases/tag/1.22.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openremote/openremote/releases/tag/1.22.0"
}
],
"source": {
"advisory": "GHSA-7mqr-33rv-p3mp",
"discovery": "UNKNOWN"
},
"title": "OpenRemote is Vulnerable to Expression Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39842",
"datePublished": "2026-04-14T23:21:22.242Z",
"dateReserved": "2026-04-07T19:13:20.377Z",
"dateUpdated": "2026-04-16T13:58:42.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31860 (GCVE-0-2022-31860)
Vulnerability from cvelistv5 – Published: 2022-09-06 17:50 – Updated: 2025-06-12 13:54
VLAI
Summary
An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule.
Severity
9.8 (Critical)
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/openremote/openremote/ | x_refsource_MISC |
| https://stackoverflow.com/questions/159148/groovy… | x_refsource_MISC |
| https://stackoverflow.com/questions/66069960/groo… | x_refsource_MISC |
| https://securityblog101.blogspot.com/2022/09/cve-… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:01.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openremote/openremote/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-31860",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T13:54:32.930583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T13:54:37.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-06T17:50:24.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openremote/openremote/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31860",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/openremote/openremote/",
"refsource": "MISC",
"url": "https://github.com/openremote/openremote/"
},
{
"name": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands",
"refsource": "MISC",
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"name": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices",
"refsource": "MISC",
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
},
{
"name": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html",
"refsource": "MISC",
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31860",
"datePublished": "2022-09-06T17:50:24.000Z",
"dateReserved": "2022-05-31T00:00:00.000Z",
"dateUpdated": "2025-06-12T13:54:37.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2022-31860
Vulnerability from fkie_nvd - Published: 2022-09-06 18:15 - Updated: 2025-06-12 14:15
Severity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openremote | openremote | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B8CE757-01D6-4481-A8D5-FAC242D3C072",
"versionEndIncluding": "1.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule."
},
{
"lang": "es",
"value": "Se ha detectado un problema en OpenRemote versiones hasta 1.0.4, que permite a atacantes ejecutar c\u00f3digo arbitrario por medio de una regla Groovy dise\u00f1ada."
}
],
"id": "CVE-2022-31860",
"lastModified": "2025-06-12T14:15:29.390",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-09-06T18:15:15.487",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/openremote/openremote/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/openremote/openremote/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securityblog101.blogspot.com/2022/09/cve-2022-31860.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://stackoverflow.com/questions/159148/groovy-executing-shell-commands"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://stackoverflow.com/questions/66069960/groovy-shell-sandboxing-best-practices"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}