Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network REST endpoint, low complexity; requires any authenticated tenant user (PR:L); scope changes because impact crosses realm boundary; integrity high (bulk deletion), confidentiality low (ID/existence leakage), availability N at system level.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 3 maven packages depend on io.openremote:openremote-manager (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.25.0.
DescriptionCVE.org
OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.
AnalysisAI
Cross-tenant alarm destruction in OpenRemote Manager before 1.24.2 lets any authenticated user in one realm permanently delete alarms belonging to other tenants by submitting arbitrary alarm IDs to the bulk removeAlarms() endpoint. The flaw is reported by VulnCheck with a CVSS 4.0 score of 8.6 and a proof-of-concept exists per the SSVC assessment, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold a valid authenticated account in any realm on the target OpenRemote Manager (PR:L) with permission to invoke the bulk alarm deletion API (alarm write permission in the caller's own realm), and must be able to reach the Manager's REST interface over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N is internally consistent with the description: network-reachable REST endpoint, low attack complexity, requires only a low-privileged authenticated account, no user interaction, and high impact to confidentiality (via existence/contents leakage of cross-tenant alarm IDs) and integrity (deletion of those alarms); availability is rated none, though in practice destroying safety-critical alerts is an availability-of-monitoring concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privileged account in any tenant of a shared OpenRemote installation, then scripts requests to the bulk removeAlarms() endpoint iterating over sequential Long alarm IDs (or a guessed range covering a target tenant), causing permanent deletion of safety-critical and security alerts belonging to other realms. A proof-of-concept exists per VulnCheck/SSVC, and because AV:N/AC:L/PR:L/UI:N the attack is fully remote, scriptable, and requires no victim interaction once an account is held. |
| Remediation | Vendor-released patch: upgrade OpenRemote Manager to 1.24.2 or later, which adds per-alarm realm validation in the bulk path; consult GHSA-h3m5-97jq-qjrf (https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf) and the VulnCheck advisory for details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenRemote Manager deployments and identify which are multi-tenant. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openremote
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38444
GHSA-pv42-3qx9-m56g