Compliance Impact

The vulnerability allows attackers to execute arbitrary code on the server, leading to full server compromise including arbitrary file read, environment variable theft (such as database credentials), and bypass of multi-tenant isolation to access data across all realms.

Such unauthorized access and data exposure can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data confidentiality, integrity, and access.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to unauthorized data access, potential data breaches, and failure to maintain adequate security controls.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenRemote to version 1.22.0 or later, where the issue has been fixed.

Additionally, restrict the write:rules role to trusted users only, as users with this role can create JavaScript rules that execute with full JVM access.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in OpenRemote, an open-source IoT platform, specifically in versions 1.21.0 and below. It involves two related expression injection flaws in the rules engine that allow arbitrary code execution on the server.

The JavaScript rules engine executes user-supplied scripts using Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions. While Groovy rules are restricted to superusers, JavaScript rules can be created by any user with the write:rules role.

Additionally, the Groovy rules engine has a security filter called GroovyDenyAllFilter that is defined but never activated because its registration code is commented out, making the sandbox ineffective for Groovy rules created by superusers.

As a result, a non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file reading, environment variable theft including database credentials, and bypassing multi-tenant isolation to access data across all realms.

This vulnerability was fixed in OpenRemote version 1.22.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the server with root privileges.

• Attackers can execute arbitrary code on the server.
• They can read arbitrary files on the system.
• They can steal environment variables, including sensitive database credentials.
• They can bypass multi-tenant isolation, gaining access to data across all realms.

Useful 0 Not Useful 0

Detection Guidance

Detection of CVE-2026-39842 involves monitoring for unauthorized creation or modification of JavaScript rulesets via the OpenRemote API endpoints. Specifically, look for POST requests to the following endpoints: /api/{realm}/rules/realm and /api/{realm}/rules/asset containing JSON bodies with "lang":"JAVASCRIPT" and suspicious or unexpected script content.

Commands to detect potential exploitation attempts could include network traffic inspection or API request logging filtering for such POST requests. For example, using curl or similar tools to query logs or monitor API usage.

• Check API logs for POST requests to /api/*/rules/realm or /api/*/rules/asset with payloads containing "lang":"JAVASCRIPT".
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze HTTP POST requests to the above endpoints.
• Example command to search logs for suspicious JavaScript rules creation: grep -i 'POST /api/.*/rules/.*' /var/log/openremote/api.log | grep '"lang":"JAVASCRIPT"'
• If you have access to the database, query for rulesets with JavaScript language set, e.g., SELECT * FROM rulesets WHERE lang = 'JAVASCRIPT';

Since the vulnerability allows arbitrary code execution, monitoring for unusual system activity or unexpected JVM process behavior may also help detect exploitation.

Useful 0 Not Useful 0