CVE-2026-56120 - Vulnerability Details

Description

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it's a duplicate of CVE-2026-56784.

Published: 2026-06-23

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

No reference.

History

Tue, 23 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description	OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it's a duplicate of CVE-2026-56784.
Title	OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint
Weaknesses	CWE-639
References	https://github.com/openremote/openremote/releases/tag/1.25.0 https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf https://www.vulncheck.com/advisories/openremote-idor-via-bulk-alarm-deletion-endpoint
Metrics	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Tue, 23 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization.
Title		OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint
Weaknesses		CWE-639
References		https://github.com/openremote/openremote/releases/tag/1.25.0 https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf https://www.vulncheck.com/advisories/openremote-idor-via-bulk-alarm-deletion-endpoint
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: REJECTED

Assigner: VulnCheck

Published: 2026-06-23T20:54:15.497Z

Updated: 2026-06-23T21:03:57.607Z

Reserved: 2026-06-18T19:15:10.651Z

Link: CVE-2026-56120

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object