Threat Advisory

OpenRemote Vulnerability Exposes Expression Injection

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-39842 with a CVSS score of 10.0 is a critical expression injection vulnerability in the OpenRemote IoT platform's rules engine, allowing an attacker to execute arbitrary code on the server, ultimately achieving full server compromise. The affected software is the maven/io.openremote:openremote-manager package, with impacted versions being before 1.21.0. This vulnerability enables an attacker with the write:rules role to create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. The attacker gains the capability to execute arbitrary code on the server, leading to a complete server compromise. If exploited, the business impact and consequences include full server takeover, data breaches, and potential loss of business continuity. Prerequisites or conditions required for exploitation include a non-superuser account with the write:rules role and access to the REST API entry point.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-39842 with a CVSS score of 10.0 is a critical expression injection vulnerability in the OpenRemote IoT platform's rules engine, allowing an attacker to execute arbitrary code on the server, ultimately achieving full server compromise. The affected software is the maven/io.openremote:openremote-manager package, with impacted versions being before 1.21.0. This vulnerability enables an attacker with the write:rules role to create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. The attacker gains the capability to execute arbitrary code on the server, leading to a complete server compromise. If exploited, the business impact and consequences include full server takeover, data breaches, and potential loss of business continuity. Prerequisites or conditions required for exploitation include a non-superuser account with the write:rules role and access to the REST API entry point.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update maven/io.openremote:openremote-manager to version 1.22.0.

REFERENCES:

The following
reports contain further technical details:
https://github.com/advisories/GHSA-7mqr-33rv-p3mp

[/emaillocker]
crossmenu