GHSA-H3M5-97JQ-QJRF: GHSA-H3M5-97JQ-QJRF: Insecure Direct Object Reference (IDOR) Cross-Realm Bulk Alarm Deletion in OpenRemote Manager

GHSA-H3M5-97JQ-QJRF: Insecure Direct Object Reference (IDOR) Cross-Realm Bulk Alarm Deletion in OpenRemote Manager

Vulnerability ID: GHSA-H3M5-97JQ-QJRF
CVSS Score: 9.6
Published: 2026-06-19

An Insecure Direct Object Reference (IDOR) and missing authorization flaw in OpenRemote Manager allows an authenticated, low-privilege multi-tenant user to execute cross-realm bulk alarm deletion, resulting in permanent destruction of safety-critical alarms belonging to other tenants.

TL;DR

A missing authorization check in OpenRemote Manager's bulk delete endpoint allows low-privilege tenant users to bypass multi-tenancy boundaries and delete safety-critical alarms belonging to any other realm by sending a list of auto-incremented database IDs.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-639 / CWE-862
• Attack Vector: Network (AV:N)
• CVSS: 9.6 (Critical)
• Impact: Integrity (High), Availability (High)
• Exploit Status: Proof-of-Concept
• CISA KEV Status: Not Listed

Affected Systems

• OpenRemote Manager
• openremote-manager: < 1.24.2 (Fixed in: 1.24.2)

Code Analysis

Commit: 9fad55e

Enforce realm authorization in bulk alarm deletion endpoint

@@ -73,10 +73,12 @@ public SentAlarm[] getAlarms(RequestParams requestParams, String realm, Alarm.St
     @Override
     public void removeAlarms(RequestParams requestParams, List<Long> alarmIds) {
         try {
-            if (!isRealmActiveAndAccessible(getAuthenticatedRealmName())) {
-                throw new ForbiddenException("Realm '" + getAuthenticatedRealmName() + "' is nonexistent, inactive or inaccessible");
+            List<SentAlarm> alarms = alarmService.getAlarms(alarmIds);
+            for (SentAlarm alarm : alarms) {
+                if (!isRealmActiveAndAccessible(alarm.getRealm())) {
+                    throw new ForbiddenException("Realm '" + alarm.getRealm() + "' is nonexistent, inactive or inaccessible");
+                }
             }
-            List<SentAlarm> alarms = alarmService.getAlarms(alarmIds);;
             alarmService.removeAlarms(alarms, alarmIds);

Exploit Details

• Groovy Integration Test: Proof of Concept test proving cross-realm bulk delete vulnerability and mitigation verification

Mitigation Strategies

• Upgrade OpenRemote Manager dependency to version 1.24.2 or later
• Enforce rate limiting on API deletion endpoints
• Restrict the maximum payload size of JSON arrays in DELETE requests

Remediation Steps:

1. Identify the current OpenRemote version in pom.xml
2. Update the io.openremote:openremote-manager version dependency to 1.24.2
3. Rebuild and redeploy the OpenRemote container images
4. Verify the mitigation using the provided integration tests

References

• GHSA-H3M5-97JQ-QJRF: OpenRemote Manager removeAlarms cross-realm IDOR

---

Read the full report for GHSA-H3M5-97JQ-QJRF on our website for more details including interactive diagrams and full exploit analysis.