Skip to main content

OpenRemote EUVDEUVD-2026-45084

| CVE-2026-62238 HIGH
SQL Injection (CWE-89)
2026-07-17 VulnCheck GHSA-rw7h-h988-gfff
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Network-reachable authenticated SQLi needing only asset create/rename rights (PR:L, AC:L); primarily data read (C:H) with limited write/DoS via SQL (I:L/A:L), same-DB-role scope so S:U.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 17, 2026 - 02:32 EUVD
Source Code Evidence Fetched
Jul 17, 2026 - 00:52 vuln.today
Analysis Generated
Jul 17, 2026 - 00:52 vuln.today
CVE Published
Jul 17, 2026 - 00:07 cve.org
HIGH 7.2

DescriptionCVE.org

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.

AnalysisAI

SQL injection in OpenRemote's datapoint crosstab export endpoint (all versions before 1.26.0) lets an authenticated user with asset creation or rename permissions exfiltrate database contents by embedding SQL into an asset display name that is concatenated into a raw PostgreSQL crosstab query. Injected SELECT results are streamed back inside the ZIP/CSV export response, giving a practical read primitive against any table the manager's database role can reach - including other tenants' data in multi-tenant deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with asset create/rename rights
Delivery
Store SQL payload in asset display name
Exploit
Request CSV crosstab datapoint export
Execution
Backend executes injected SELECT via crosstab COPY
Persist
Read query results from exported CSV/ZIP
Impact
Exfiltrate cross-tenant database data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated OpenRemote session (PR:L) plus permission to create or rename at least one asset, permission to read/export datapoints for at least one attribute on that asset, and access to a CSV crosstab datapoint export format. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L, base 7.2 HIGH) is internally consistent with the description: network-reachable, low complexity, requires low privileges (an authenticated account with asset create/rename rights), no user interaction, high confidentiality impact with limited integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege but authenticated tenant user creates or renames an asset, setting its display name to a crafted string containing SQL (e.g., a subquery selecting from a shared manager table). The attacker then requests a CSV crosstab datapoint export for an attribute on that asset; the backend concatenates the name into the COPY (SELECT ... …
Remediation Vendor-released patch: upgrade OpenRemote to 1.26.0 or later, which fixes the query construction (fix commit 02ac83074b81617add814b2a72d459abdf374147); see the advisory at https://github.com/openremote/openremote/security/advisories/GHSA-cgfv-jrfp-2r7v. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all OpenRemote deployments and identify which are multi-tenant configurations; immediately restrict asset creation and rename permissions to administrative users only and audit recent permission assignments for abnormal activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

EUVD-2026-45084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy