CRITICAL🇵🇱 Wersja polska

CVE-2026-39842

CVSS 9.9v3.1pub. 2026-04-15upd. 2026-04-23

OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0.

🤖 AI Analysis
How it works

The JavaScript rules engine executes user-supplied scripts by calling Nashorn ScriptEngine.eval() without any sandboxing, class filtering, or access restrictions. Permission checking in RulesResourceImpl restricts Groovy rules exclusively to superusers, while JavaScript rules are left unrestricted for any user with the write:rules role. Additionally, in the Groovy rules engine, the security filter GroovyDenyAllFilter defined is never registered because the registration code is commented out — thus the SandboxTransformer mechanism remains ineffective even for rules created by superusers.

Impact

An attacker without superuser privileges but with the write:rules role can remotely execute arbitrary code as root, read system files, steal environment variables (including database credentials), and completely bypass multi-tenant isolation, gaining access to data of all tenants (realms) in the platform.

Mitigation & patch

OpenRemote should be updated to version 1.22.0 as soon as possible, where the vulnerability has been fixed. Details are available in the official release on GitHub (tag 1.22.0) and in security advisory GHSA-7mqr-33rv-p3mp.

Who is affected

OpenRemote in versions 1.21.0 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Openremote

    APP
    Openremote
    < 1.22.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2022-31860CRITICAL9.8ten sam produkt

An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted G...

CVE-2026-40882HIGH7.6ten sam produkt

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import pat...

CVE-2026-41166HIGH7.0ten sam produkt

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin...