CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-57168

criticalCVSS 9.6covered by 1 sourcefirst seen 2026-06-19
Summary OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct Object Reference (IDOR) in the bulk alarm deletion endpoint. An authenticated user in any realm can delete alarms belonging to other realms (tenants) by supplying arbitrary alarm IDs. The vulnerability exists because the bulk removeAlarms() method only verifies that the caller's own realm is active and accessible, but never checks whether the targeted alarm IDs belong to the caller's realm before deleting them. This allows any user with alarm write permissions in their own realm to permanently destroy alarm records — including safety-critical and security alerts — belonging to any other tenant on the same OpenRemote installation. [Additional Information] The singular removeAlarm() method correctly validates that the target alarm's realm matches the caller's access: // CORRECT (singular): SentAlarm alarm = alarmService.getAlarm(alarmId); if (!isRealmActiveAndAccessible(alarm.getRealm())) { throw new ForbiddenException(...); } The plural removeAlarms() method is missing this per-alarm realm check and only validates the caller's own realm — a check that is trivially satisfied for any authenticated user: // VULNERABLE (plural): public void removeAlarms(RequestParams requestParams, List<Long> alarmIds) { if (!isRealmActiveAndAccessible(getAuthenticatedRealmName())) { throw new ForbiddenException(...); // always passes for any auth user } List<SentAlarm> alarms = alarmService.getAlarms(alarmIds); // no realm filter alarmService.removeAlarms(alarms, alarmIds); // no realm filter } The underlying service queries contain no realm scoping: // AlarmService.getAlarms(List<Long>): "select sa from SentAlarm sa where sa.id in :ids" // no realm filter // AlarmService.removeAlarms(): "delete from SentAlarm sa where sa.id in :ids" // no realm filter

⚡ Watch CVE-2026-57168

Get an email if CVE-2026-57168 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-57168

CVE.org record

Embed the live status

CVE-2026-57168 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-57168 status](https://www.csirts.com/badge/CVE-2026-57168)](https://www.csirts.com/cve/CVE-2026-57168)