GHSA-h3m5-97jq-qjrf: OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)
Summary
OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct
Object Reference (IDOR) in the bulk alarm deletion endpoint. An
authenticated user in any realm can delete alarms belonging to other
realms (tenants) by supplying arbitrary alarm IDs. The vulnerability
exists because the bulk removeAlarms() method only verifies that the
caller's own realm is active and accessible, but never checks whether
the targeted alarm IDs belong to the caller's realm before deleting
them.
This allows any user with alarm write permissions in their own realm
to permanently destroy alarm records — including safety-critical and
security alerts — belonging to any other tenant on the same OpenRemote
installation.
[Additional Information]
The singular removeAlarm() method correctly validates that the
target alarm's realm matches the caller's access:
// CORRECT (singular):
SentAlarm alarm = alarmService.getAlarm(alarmId);
if (!isRealmActiveAndAccessible(alarm.getRealm())) {
throw new ForbiddenException(...);
}
The plural removeAlarms() method is missing this per-alarm realm
check and only validates the caller's own realm — a check that is
trivially satisfied for any authenticated user:
// VULNERABLE (plural):
public void removeAlarms(RequestParams requestParams, List<Long> alarmIds) {
if (!isRealmActiveAndAccessible(getAuthenticatedRealmName())) {
throw new ForbiddenException(...); // always passes for any auth user
}
List<SentAlarm> alarms = alarmService.getAlarms(alarmIds); // no realm filter
alarmService.removeAlarms(alarms, alarmIds); // no realm filter
}
The underlying service queries contain no realm scoping:
// AlarmService.getAlarms(List<Long>):
"select sa from SentAlarm sa where sa.id in :ids"
// no realm filter
// AlarmService.removeAlarms():
"delete from SentAlarm sa where sa.id in :ids"
// no realm filter
Details
Original advisory: https://github.com/advisories/GHSA-h3m5-97jq-qjrf
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-57168 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10