Skip to main content

OpenRemote Manager CVE-2026-56784

| EUVDEUVD-2026-38444 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-23 VulnCheck GHSA-pv42-3qx9-m56g
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Network REST endpoint, low complexity; requires any authenticated tenant user (PR:L); scope changes because impact crosses realm boundary; integrity high (bulk deletion), confidentiality low (ID/existence leakage), availability N at system level.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 23, 2026 - 22:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 22:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 22:22 NVD
7.2 (HIGH) 8.6 (HIGH)
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:07 vuln.today
Analysis Generated
Jun 23, 2026 - 13:07 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on io.openremote:openremote-manager (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.25.0.

DescriptionCVE.org

OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.

AnalysisAI

Cross-tenant alarm destruction in OpenRemote Manager before 1.24.2 lets any authenticated user in one realm permanently delete alarms belonging to other tenants by submitting arbitrary alarm IDs to the bulk removeAlarms() endpoint. The flaw is reported by VulnCheck with a CVSS 4.0 score of 8.6 and a proof-of-concept exists per the SSVC assessment, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv account in any realm
Delivery
Enumerate sequential alarm IDs
Exploit
Call bulk removeAlarms() with cross-realm IDs
Execution
Bypass missing realm check
Impact
Permanently delete victim-tenant safety/security alarms

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid authenticated account in any realm on the target OpenRemote Manager (PR:L) with permission to invoke the bulk alarm deletion API (alarm write permission in the caller's own realm), and must be able to reach the Manager's REST interface over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N is internally consistent with the description: network-reachable REST endpoint, low attack complexity, requires only a low-privileged authenticated account, no user interaction, and high impact to confidentiality (via existence/contents leakage of cross-tenant alarm IDs) and integrity (deletion of those alarms); availability is rated none, though in practice destroying safety-critical alerts is an availability-of-monitoring concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privileged account in any tenant of a shared OpenRemote installation, then scripts requests to the bulk removeAlarms() endpoint iterating over sequential Long alarm IDs (or a guessed range covering a target tenant), causing permanent deletion of safety-critical and security alerts belonging to other realms. A proof-of-concept exists per VulnCheck/SSVC, and because AV:N/AC:L/PR:L/UI:N the attack is fully remote, scriptable, and requires no victim interaction once an account is held.
Remediation Vendor-released patch: upgrade OpenRemote Manager to 1.24.2 or later, which adds per-alarm realm validation in the bulk path; consult GHSA-h3m5-97jq-qjrf (https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf) and the VulnCheck advisory for details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OpenRemote Manager deployments and identify which are multi-tenant. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy