{"uuid": "3c698deb-f222-4ab1-b422-6c5ac37a3692", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-CGFV-JRFP-2R7V", "type": "seen", "source": "https://gist.github.com/alon710/031e4a60a1dad95089a914b9f0b56e00", "content": "# GHSA-CGFV-JRFP-2R7V: GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export\n\n&gt; **CVSS Score:** 8.5\n&gt; **Published:** 2026-07-06\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-CGFV-JRFP-2R7V\n\n## Summary\nAn authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.\n\n## TL;DR\nAuthenticated SQL injection in OpenRemote's CSV crosstab export via crafted asset names, allowing data exfiltration from multi-tenant PostgreSQL databases.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-89\n- **Attack Vector**: Network\n- **CVSS**: 8.5 (High)\n- **Exploit Status**: poc\n- **Impact**: Data Exfiltration / Tenant Boundary Bypass\n- **KEV Status**: Not Listed\n- **Patch Status**: Patched in 1.26.0\n\n## Affected Systems\n\n- OpenRemote\n- OpenRemote Manager\n- **openremote-manager**: &lt; 1.26.0 (Fixed in: `1.26.0`)\n\n## Mitigation\n\n- Upgrade OpenRemote to version 1.26.0 or newer.\n- Restrict asset creation and modification privileges in tenant spaces.\n- Deploy WAF rules to detect SQL syntax in asset update payloads.\n\n**Remediation Steps:**\n1. Identify any vulnerable OpenRemote deployments utilizing versions older than 1.26.0.\n2. Download and apply the updated Docker container or Maven package matching version 1.26.0.\n3. Validate asset schemas for abnormal characters such as dollar-signs or double-quotes.\n4. Monitor PostgreSQL queries for unusual crosstab commands in the server logs.\n\n## References\n\n- [GitHub Security Advisory GHSA-cgfv-jrfp-2r7v](https://github.com/openremote/openremote/security/advisories/GHSA-cgfv-jrfp-2r7v)\n- [OpenRemote Repository](https://github.com/openremote/openremote)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-CGFV-JRFP-2R7V) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-07T00:41:49.224888Z"}