CVE-2026-57168
Summary
OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct
Object Reference (IDOR) in the bulk alarm deletion endpoint. An
authenticated user in any realm can delete alarms belonging to other
realms (tenants) by supplying arbitrary alarm IDs. The vulnerability
exists because the bulk removeAlarms() method only verifies that the
caller's own realm is active and accessible, but never checks whether
the targeted alarm IDs belong to the caller's realm before deleting
them.
This allows any user with alarm write permissions in their own realm
to permanently destroy alarm records — including safety-critical and
security alerts — belonging to any other tenant on the same OpenRemote
installation.
[Additional Information]
The singular removeAlarm() method correctly validates that the
target alarm's realm matches the caller's access:
// CORRECT (singular):
SentAlarm alarm = alarmService.getAlarm(alarmId);
if (!isRealmActiveAndAccessible(alarm.getRealm())) {
throw new ForbiddenException(...);
}
The plural removeAlarms() method is missing this per-alarm realm
check and only validates the caller's own realm — a check that is
trivially satisfied for any authenticated user:
// VULNERABLE (plural):
public void removeAlarms(RequestParams requestParams, List<Long> alarmIds) {
if (!isRealmActiveAndAccessible(getAuthenticatedRealmName())) {
throw new ForbiddenException(...); // always passes for any auth user
}
List<SentAlarm> alarms = alarmService.getAlarms(alarmIds); // no realm filter
alarmService.removeAlarms(alarms, alarmIds); // no realm filter
}
The underlying service queries contain no realm scoping:
// AlarmService.getAlarms(List<Long>):
"select sa from SentAlarm sa where sa.id in :ids"
// no realm filter
// AlarmService.removeAlarms():
"delete from SentAlarm sa where sa.id in :ids"
// no realm filter
⚡ Watch CVE-2026-57168
Get an email if CVE-2026-57168 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
- criticalGHSA-h3m5-97jq-qjrf: OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)ghsa · 2026-06-19
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-57168)