Skip to main content

OpenRemote Manager CVE-2026-49439

MEDIUM
Missing Authorization (CWE-862)
2026-07-06 https://github.com/openremote/openremote GHSA-xj53-j257-hxvg
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network REST endpoint requires only a valid read:assets session (PR:L, AC:L); write impact limited to predicted datapoints with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 17:17 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on io.openremote:openremote-manager (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.24.1.

DescriptionGitHub Advisory

Summary

The predicted datapoint write endpoint allows users with only read:assets privileges to write predicted datapoints.

The endpoint:

text
PUT /api/{realm}/asset/predicted/{assetId}/{attributeName}

accepts write requests from users lacking write:assets.

The implementation appears to check READ_ASSETS while performing a write operation through:

java
assetPredictedDatapointService.updateValues(...)

PoC

A user was created with only:

text
read:assets

and without write:assets.

The following request succeeded:

http
PUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperature

Request body:

json
[{"x":1779199999001,"y":1337}]

Response:

text
HTTP/2 204

Database verification confirmed the datapoint was written successfully:

text
entity_id: 4Fr8Pcp7iDjrEmoSUFolvT
attribute_name: temperature
value: 1337

Impact

Users with read-only asset permissions can modify predicted datapoints for assets.

AnalysisAI

{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with read:assets credentials
Delivery
Enumerate valid assetId and attributeName via read API
Exploit
Craft PUT /api/{realm}/asset/predicted/{assetId}/{attributeName} with fabricated payload
Execution
Server applies incorrect READ_ASSETS check and accepts write
Persist
Predicted datapoint persisted to database
Impact
Corrupted forecast data influences downstream automation or monitoring

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at least read:assets privilege assigned; write:assets is explicitly NOT required, which is the vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.3 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) is consistent with the technical facts: the flaw is network-reachable and trivially exploitable once the attacker holds a read:assets session, but the impact is bounded to integrity of predicted datapoints only - no confidentiality breach and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a compromised or intentionally low-privileged read:assets service account enumerates asset IDs and attribute names via the read API, then sends a crafted PUT request to /api/master/asset/predicted/{assetId}/temperature with a fabricated datapoint payload. The server executes the write without the correct authorization check, persisting the false prediction to the database with a 204 response - as confirmed by the public PoC in advisory GHSA-xj53-j257-hxvg - potentially skewing downstream analytics or automation that consumes predicted sensor values.
Remediation Upgrade io.openremote:openremote-manager to the patched release that incorporates commit 583dbbfb96076ba099be8729ddf506acf9e48325 (https://github.com/openremote/openremote/commit/583dbbfb96076ba099be8729ddf506acf9e48325); monitor the GitHub Advisory GHSA-xj53-j257-hxvg (https://github.com/openremote/openremote/security/advisories/GHSA-xj53-j257-hxvg) for the specific tagged release version, which was not independently confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-49439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy