Description
OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 17 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration. | |
| Title | OpenRemote < 1.26.0 SQL Injection via Crosstab Export | |
| First Time appeared |
Openremote
Openremote openremote |
|
| Weaknesses | CWE-89 | |
| CPEs | cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openremote
Openremote openremote |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T00:07:12.425Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62238
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')