OpenRemote is an open‑source IoT platform that allows users to create rules executed by a JavaScript engine without any sandboxing or class filtering. The rules engine evaluates user‑supplied scripts via Nashorn's ScriptEngine.eval() and the authorization check erroneously permits JavaScript rules from any user with the write:rules role while only guarding Groovy rules for superusers. This misconfiguration, combined with an unregistered Groovy security filter, allows a non‑superuser attacker to create JavaScript rules that run with full JVM privileges, granting remote code execution as root, arbitrary file access, environment variable theft including database credentials, and full multi‑tenant isolation bypass. The flaw therefore enables attackers to execute arbitrary code on the server with the privileges of the application process.

OpenRemote platform, versions 1.21.0 and earlier. The affected product is the OpenRemote open‑source IoT platform. No additional software is listed.

The CVSS score of 10 indicates the maximum severity and signifies that the vulnerability allows unrestricted code execution. The EPSS score is not available, so the likelihood of exploitation is unknown, but the fact that any authenticated user with the write:rules role can create the malicious rule means that if an attacker can gain legitimate access or compromise a user account, they can immediately exploit the flaw. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the lack of a supply‑chain mechanism for this kind of flaw does not diminish the risk. An attacker can deliver the malicious rule via the standard web interface or API that accepts rule definitions, which makes the attack vector likely to be a remote authenticated compromise. Because the flaw allows escalation to root‑level code execution, the potential damage is substantial and would affect all tenants.