GHSA-cgfv-jrfp-2r7v: OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export
Summary
The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is streamed back to the caller inside the normal ZIP/CSV export response.
This creates a practical database exfiltration primitive through the application API. In a multi-tenant deployment, this can expose data outside the attacker's tenant if the application database role can read shared manager tables.
Affected Component
- Datapoint export endpoint for asset datapoints.
- Crosstab export formats, specifically CSV crosstab-style exports.
- Query builder path that constructs a COPY (SELECT ... FROM crosstab(...)) TO STDOUT statement.
Security Impact
Impact is high. A remote authenticated attacker with asset read/write capabilities can:
- Store SQL syntax inside an asset name.
- Trigger the crosstab export path for that asset.
- Cause the backend to execute attacker-influenced SQL through the PostgreSQL connection used by the manager service.
- Receive injected SELECT results in the exported CSV contained in the ZIP response.
The demonstrated impact is database data exfiltration. The proof of concept safely retrieved database execution context and an aggregate table count. A real attacker could adapt the injected SELECT to read other database tables accessible to the application database role.
This is especially sensitive in multi-tenant deployments because application tables commonly contain data for multiple realms/tenants in the same database.
Attack Preconditions
The attacker needs:
- A valid authenticated session.
- Permission to create or rename at least one asset.
- Permission to read/export datapoints for at least one attribute on that asset.
- Access to a crosstab datapoint export format.
No direct database access is required. No server filesystem access is r
Details
Original advisory: https://github.com/advisories/GHSA-cgfv-jrfp-2r7v
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10