Product
An authenticated SQL injection vulnerability exists in the OpenRemote datapoint export API, allowing an attacker with asset creation/rename and datapoint export permissions to inject SQL commands via asset names, leading to arbitrary database execution and exfiltration of potentially cross-tenant data, with results returned in the normal ZIP/CSV export response.