OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

Advisories

severity: high
date: 6/23/2026
Affecting: OpenRemote < 1.25.0
CVE: CVE-2026-56784
CWE: CWE-639 Authorization Bypass Through User-Controlled Key
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References: Release Notes
GitHub Security Advisory (GHSA-h3m5-97jq-qjrf)
Credit: Tulkin Urinbaev (@Forklit), Vladyslav Koniakhin (@vladkoniakhinmob)
Description: OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo