<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenRemote - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openremote/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:58:37 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openremote/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenRemote Authenticated SQL Injection via Datapoint Crosstab Export</title><link>https://feed.craftedsignal.io/briefs/2026-07-openremote-sql-injection/</link><pubDate>Mon, 06 Jul 2026 21:58:37 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openremote-sql-injection/</guid><description>An authenticated SQL injection vulnerability exists in the OpenRemote datapoint export API, allowing an attacker with asset creation/rename and datapoint export permissions to inject SQL commands via asset names, leading to arbitrary database execution and exfiltration of potentially cross-tenant data, with results returned in the normal ZIP/CSV export response.</description><content:encoded><![CDATA[<p>OpenRemote, an IoT solution platform, contains a critical authenticated SQL injection vulnerability in its datapoint export API, specifically within the crosstab export functionality. An attacker, requiring a valid authenticated session with permissions to create or rename assets and export their datapoints, can manipulate asset names to inject arbitrary SQL. This flaw stems from the application's practice of concatenating user-controlled asset display names directly into PostgreSQL <code>COPY</code> queries without proper escaping. The injected SQL is executed against the backend database, and its results are included within the legitimate ZIP/CSV export response, allowing for data exfiltration. This vulnerability, affecting <code>openremote-manager</code> versions prior to 1.26.0, poses a significant risk, particularly in multi-tenant environments where it could lead to unauthorized access and exfiltration of sensitive information across different tenants.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains a valid authenticated session within the OpenRemote platform.</li>
<li>The attacker uses their permissions to create a new asset or rename an existing one, embedding SQL metacharacters and desired injection payload into the asset's name.</li>
<li>The attacker ensures this crafted asset has at least one exportable datapoint attribute, potentially writing a value to it if needed.</li>
<li>The attacker initiates a CSV crosstab datapoint export request for the attribute associated with the specially crafted asset.</li>
<li>The OpenRemote backend constructs a PostgreSQL <code>COPY</code> query, embedding the attacker-controlled asset name into SQL contexts without sufficient escaping.</li>
<li>The database executes the malformed query, including the attacker's injected SQL statements (e.g., <code>SELECT</code> statements).</li>
<li>The results of the injected <code>SELECT</code> query, along with normal datapoint data, are streamed back to the attacker within the exported CSV file contained in the ZIP response.</li>
<li>The attacker extracts sensitive database information, such as <code>current_user</code>, <code>current_database()</code>, and <code>count(*)</code> from other tables, effectively exfiltrating data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of this vulnerability is significant, particularly due to its high confidentiality risk. An authenticated attacker can exfiltrate arbitrary data from the backend PostgreSQL database. This includes potentially sensitive configuration data, user information, or operational data, and in multi-tenant deployments, it could expose data belonging to other tenants. While integrity and availability impacts were not demonstrated in the proof-of-concept, they remain a possibility depending on the application's database role privileges. The ease of exploitation, requiring only common asset management permissions, makes this a serious threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenRemote <code>openremote-manager</code> to version 1.26.0 or newer immediately to mitigate the SQL injection vulnerability as outlined in the <code>affected_products</code> section.</li>
<li>Review web application firewall (WAF) rules to detect and block SQL injection patterns in URL parameters or request bodies that target the datapoint export endpoint.</li>
<li>Implement strict input validation and parameterized queries in all application development, especially when handling user-controlled data that might be used in SQL queries, as detailed in the &quot;Recommended Fix&quot; section.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>data-exfiltration</category><category>web-application</category></item></channel></rss>