CVE-2026-62238
7.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Summary
OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| openremote | openremote | 0 < 1.26.0 | affected |
| openremote | openremote | 1.26.0 | unaffected |
Weaknesses
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
References
- https://github.com/openremote/openremote/security/advisories/GHSA-cgfv-jrfp-2r7v
- https://www.vulncheck.com/advisories/openremote-sql-injection-via-crosstab-export
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.