DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CGFV-JRFP-2R7V: GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

Vulnerability ID: GHSA-CGFV-JRFP-2R7V
CVSS Score: 8.5
Published: 2026-07-06

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

TL;DR

Authenticated SQL injection in OpenRemote's CSV crosstab export via crafted asset names, allowing data exfiltration from multi-tenant PostgreSQL databases.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89
  • Attack Vector: Network
  • CVSS: 8.5 (High)
  • Exploit Status: poc
  • Impact: Data Exfiltration / Tenant Boundary Bypass
  • KEV Status: Not Listed
  • Patch Status: Patched in 1.26.0

Affected Systems

  • OpenRemote
  • OpenRemote Manager
  • openremote-manager: < 1.26.0 (Fixed in: 1.26.0)

Code Analysis

Commit: 02ac830

Ensure datapoint export handles asset names safely without dynamic SQL generation

Mitigation Strategies

  • Upgrade OpenRemote to version 1.26.0 or newer.
  • Restrict asset creation and modification privileges in tenant spaces.
  • Deploy WAF rules to detect SQL syntax in asset update payloads.

Remediation Steps:

  1. Identify any vulnerable OpenRemote deployments utilizing versions older than 1.26.0.
  2. Download and apply the updated Docker container or Maven package matching version 1.26.0.
  3. Validate asset schemas for abnormal characters such as dollar-signs or double-quotes.
  4. Monitor PostgreSQL queries for unusual crosstab commands in the server logs.

References


Read the full report for GHSA-CGFV-JRFP-2R7V on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)