CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-h3m5-97jq-qjrf: OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)

criticalCVSS 9.6CVE-2026-57168
Summary OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct Object Reference (IDOR) in the bulk alarm deletion endpoint. An authenticated user in any realm can delete alarms belonging to other realms (tenants) by supplying arbitrary alarm IDs. The vulnerability exists because the bulk removeAlarms() method only verifies that the caller's own realm is active and accessible, but never checks whether the targeted alarm IDs belong to the caller's realm before deleting them. This allows any user with alarm write permissions in their own realm to permanently destroy alarm records — including safety-critical and security alerts — belonging to any other tenant on the same OpenRemote installation. [Additional Information] The singular removeAlarm() method correctly validates that the target alarm's realm matches the caller's access: // CORRECT (singular): SentAlarm alarm = alarmService.getAlarm(alarmId); if (!isRealmActiveAndAccessible(alarm.getRealm())) { throw new ForbiddenException(...); } The plural removeAlarms() method is missing this per-alarm realm check and only validates the caller's own realm — a check that is trivially satisfied for any authenticated user: // VULNERABLE (plural): public void removeAlarms(RequestParams requestParams, List<Long> alarmIds) { if (!isRealmActiveAndAccessible(getAuthenticatedRealmName())) { throw new ForbiddenException(...); // always passes for any auth user } List<SentAlarm> alarms = alarmService.getAlarms(alarmIds); // no realm filter alarmService.removeAlarms(alarms, alarmIds); // no realm filter } The underlying service queries contain no realm scoping: // AlarmService.getAlarms(List<Long>): "select sa from SentAlarm sa where sa.id in :ids" // no realm filter // AlarmService.removeAlarms(): "delete from SentAlarm sa where sa.id in :ids" // no realm filter

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.6
Published
2026-06-19
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-h3m5-97jq-qjrf

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-57168coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories