GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export
Vulnerability ID: GHSA-CGFV-JRFP-2R7V
CVSS Score: 8.5
Published: 2026-07-06
An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.
TL;DR
Authenticated SQL injection in OpenRemote's CSV crosstab export via crafted asset names, allowing data exfiltration from multi-tenant PostgreSQL databases.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89
- Attack Vector: Network
- CVSS: 8.5 (High)
- Exploit Status: poc
- Impact: Data Exfiltration / Tenant Boundary Bypass
- KEV Status: Not Listed
- Patch Status: Patched in 1.26.0
Affected Systems
- OpenRemote
- OpenRemote Manager
-
openremote-manager: < 1.26.0 (Fixed in:
1.26.0)
Code Analysis
Commit: 02ac830
Ensure datapoint export handles asset names safely without dynamic SQL generation
Mitigation Strategies
- Upgrade OpenRemote to version 1.26.0 or newer.
- Restrict asset creation and modification privileges in tenant spaces.
- Deploy WAF rules to detect SQL syntax in asset update payloads.
Remediation Steps:
- Identify any vulnerable OpenRemote deployments utilizing versions older than 1.26.0.
- Download and apply the updated Docker container or Maven package matching version 1.26.0.
- Validate asset schemas for abnormal characters such as dollar-signs or double-quotes.
- Monitor PostgreSQL queries for unusual crosstab commands in the server logs.
References
Read the full report for GHSA-CGFV-JRFP-2R7V on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)