CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-cgfv-jrfp-2r7v: OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export

high
Summary The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is streamed back to the caller inside the normal ZIP/CSV export response. This creates a practical database exfiltration primitive through the application API. In a multi-tenant deployment, this can expose data outside the attacker's tenant if the application database role can read shared manager tables. Affected Component - Datapoint export endpoint for asset datapoints. - Crosstab export formats, specifically CSV crosstab-style exports. - Query builder path that constructs a COPY (SELECT ... FROM crosstab(...)) TO STDOUT statement. Security Impact Impact is high. A remote authenticated attacker with asset read/write capabilities can: - Store SQL syntax inside an asset name. - Trigger the crosstab export path for that asset. - Cause the backend to execute attacker-influenced SQL through the PostgreSQL connection used by the manager service. - Receive injected SELECT results in the exported CSV contained in the ZIP response. The demonstrated impact is database data exfiltration. The proof of concept safely retrieved database execution context and an aggregate table count. A real attacker could adapt the injected SELECT to read other database tables accessible to the application database role. This is especially sensitive in multi-tenant deployments because application tables commonly contain data for multiple realms/tenants in the same database. Attack Preconditions The attacker needs: - A valid authenticated session. - Permission to create or rename at least one asset. - Permission to read/export datapoints for at least one attribute on that asset. - Access to a crosstab datapoint export format. No direct database access is required. No server filesystem access is r

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-cgfv-jrfp-2r7v

More from GitHub Security Advisories