{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openremote-manager--1.26.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openremote-manager (\u003c 1.26.0)","OpenRemote"],"_cs_severities":["high"],"_cs_tags":["sql-injection","data-exfiltration","web-application"],"_cs_type":"advisory","_cs_vendors":["OpenRemote"],"content_html":"\u003cp\u003eOpenRemote, an IoT solution platform, contains a critical authenticated SQL injection vulnerability in its datapoint export API, specifically within the crosstab export functionality. An attacker, requiring a valid authenticated session with permissions to create or rename assets and export their datapoints, can manipulate asset names to inject arbitrary SQL. This flaw stems from the application's practice of concatenating user-controlled asset display names directly into PostgreSQL \u003ccode\u003eCOPY\u003c/code\u003e queries without proper escaping. The injected SQL is executed against the backend database, and its results are included within the legitimate ZIP/CSV export response, allowing for data exfiltration. This vulnerability, affecting \u003ccode\u003eopenremote-manager\u003c/code\u003e versions prior to 1.26.0, poses a significant risk, particularly in multi-tenant environments where it could lead to unauthorized access and exfiltration of sensitive information across different tenants.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid authenticated session within the OpenRemote platform.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their permissions to create a new asset or rename an existing one, embedding SQL metacharacters and desired injection payload into the asset's name.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures this crafted asset has at least one exportable datapoint attribute, potentially writing a value to it if needed.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a CSV crosstab datapoint export request for the attribute associated with the specially crafted asset.\u003c/li\u003e\n\u003cli\u003eThe OpenRemote backend constructs a PostgreSQL \u003ccode\u003eCOPY\u003c/code\u003e query, embedding the attacker-controlled asset name into SQL contexts without sufficient escaping.\u003c/li\u003e\n\u003cli\u003eThe database executes the malformed query, including the attacker's injected SQL statements (e.g., \u003ccode\u003eSELECT\u003c/code\u003e statements).\u003c/li\u003e\n\u003cli\u003eThe results of the injected \u003ccode\u003eSELECT\u003c/code\u003e query, along with normal datapoint data, are streamed back to the attacker within the exported CSV file contained in the ZIP response.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive database information, such as \u003ccode\u003ecurrent_user\u003c/code\u003e, \u003ccode\u003ecurrent_database()\u003c/code\u003e, and \u003ccode\u003ecount(*)\u003c/code\u003e from other tables, effectively exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this vulnerability is significant, particularly due to its high confidentiality risk. An authenticated attacker can exfiltrate arbitrary data from the backend PostgreSQL database. This includes potentially sensitive configuration data, user information, or operational data, and in multi-tenant deployments, it could expose data belonging to other tenants. While integrity and availability impacts were not demonstrated in the proof-of-concept, they remain a possibility depending on the application's database role privileges. The ease of exploitation, requiring only common asset management permissions, makes this a serious threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenRemote \u003ccode\u003eopenremote-manager\u003c/code\u003e to version 1.26.0 or newer immediately to mitigate the SQL injection vulnerability as outlined in the \u003ccode\u003eaffected_products\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview web application firewall (WAF) rules to detect and block SQL injection patterns in URL parameters or request bodies that target the datapoint export endpoint.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and parameterized queries in all application development, especially when handling user-controlled data that might be used in SQL queries, as detailed in the \u0026quot;Recommended Fix\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:58:37Z","date_published":"2026-07-06T21:58:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openremote-sql-injection/","summary":"An authenticated SQL injection vulnerability exists in the OpenRemote datapoint export API, allowing an attacker with asset creation/rename and datapoint export permissions to inject SQL commands via asset names, leading to arbitrary database execution and exfiltration of potentially cross-tenant data, with results returned in the normal ZIP/CSV export response.","title":"OpenRemote Authenticated SQL Injection via Datapoint Crosstab Export","url":"https://feed.craftedsignal.io/briefs/2026-07-openremote-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Openremote-Manager (\u003c 1.26.0)","version":"https://jsonfeed.org/version/1.1"}