Skip to main content

Openremote

2 CVEs product

Monthly

CVE-2026-56784 Maven HIGH PATCH This Week

Cross-tenant alarm destruction in OpenRemote Manager before 1.24.2 lets any authenticated user in one realm permanently delete alarms belonging to other tenants by submitting arbitrary alarm IDs to the bulk removeAlarms() endpoint. The flaw is reported by VulnCheck with a CVSS 4.0 score of 8.6 and a proof-of-concept exists per the SSVC assessment, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because alarm IDs are sequential auto-increment values, enumeration and mass deletion of safety-critical and security alerts across tenants is trivial.

Authentication Bypass Openremote
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2022-31860 CRITICAL POC Act Now

An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Openremote
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-tenant alarm destruction in OpenRemote Manager before 1.24.2 lets any authenticated user in one realm permanently delete alarms belonging to other tenants by submitting arbitrary alarm IDs to the bulk removeAlarms() endpoint. The flaw is reported by VulnCheck with a CVSS 4.0 score of 8.6 and a proof-of-concept exists per the SSVC assessment, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because alarm IDs are sequential auto-increment values, enumeration and mass deletion of safety-critical and security alerts across tenants is trivial.

Authentication Bypass Openremote
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Openremote
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy