Description
OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization.
Published: 2026-06-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm‑scoping validation in its JPA query, enabling any user with alarm‑write permissions to enumerate sequential auto‑increment alarm IDs and delete cross‑tenant alarm records without authorization.

Affected Systems

The affected product is OpenRemote from the vendor OpenRemote. All releases before 1.25.0 are impacted, including any deployments where the bulk alarm deletion functionality is enabled. No specific sub‑products are mentioned.

Risk and Exploitability

The CVSS score of 8.6 indicates High severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid user credentials with alarm‑write permissions; no additional privileges are needed. The attacker can remotely invoke the bulk deletion API and delete alarms across tenant boundaries, leading to loss of critical safety data.

Generated by OpenCVE AI on June 24, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenRemote to version 1.25.0 or later
  • Restrict access to the removeAlarms endpoint so that only tenant administrators can invoke it
  • Enable and review audit logs for abnormal bulk alarm deletion activity and investigate suspicious events

Generated by OpenCVE AI on June 24, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts. OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization.
Title OpenRemote Manager - Cross-Tenant IDOR in Bulk Alarm Deletion OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.
Title OpenRemote Manager - Cross-Tenant IDOR in Bulk Alarm Deletion
First Time appeared Openremote
Openremote openremote
Weaknesses CWE-639
CPEs cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:*
Vendors & Products Openremote
Openremote openremote
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openremote Openremote
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T21:02:37.342Z

Reserved: 2026-06-23T01:24:27.651Z

Link: CVE-2026-56784

cve-icon Vulnrichment

Updated: 2026-06-23T15:02:14.593Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:30:06Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key