CVE-2026-39842
Expression Injection in OpenRemote Rules Engine Enables Remote Code Execution
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openremote | openremote | to 1.22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-917 | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenRemote to version 1.22.0 or later, where the issue has been fixed.
Additionally, restrict the write:rules role to trusted users only, as users with this role can create JavaScript rules that execute with full JVM access.
Can you explain this vulnerability to me?
This vulnerability exists in OpenRemote, an open-source IoT platform, specifically in versions 1.21.0 and below. It involves two related expression injection flaws in the rules engine that allow arbitrary code execution on the server.
The JavaScript rules engine executes user-supplied scripts using Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions. While Groovy rules are restricted to superusers, JavaScript rules can be created by any user with the write:rules role.
Additionally, the Groovy rules engine has a security filter called GroovyDenyAllFilter that is defined but never activated because its registration code is commented out, making the sandbox ineffective for Groovy rules created by superusers.
As a result, a non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file reading, environment variable theft including database credentials, and bypassing multi-tenant isolation to access data across all realms.
This vulnerability was fixed in OpenRemote version 1.22.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution on the server with root privileges.
- Attackers can execute arbitrary code on the server.
- They can read arbitrary files on the system.
- They can steal environment variables, including sensitive database credentials.
- They can bypass multi-tenant isolation, gaining access to data across all realms.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary code on the server, leading to full server compromise including arbitrary file read, environment variable theft (such as database credentials), and bypass of multi-tenant isolation to access data across all realms.
Such unauthorized access and data exposure can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data confidentiality, integrity, and access.
Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to unauthorized data access, potential data breaches, and failure to maintain adequate security controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-39842 involves monitoring for unauthorized creation or modification of JavaScript rulesets via the OpenRemote API endpoints. Specifically, look for POST requests to the following endpoints: /api/{realm}/rules/realm and /api/{realm}/rules/asset containing JSON bodies with "lang":"JAVASCRIPT" and suspicious or unexpected script content.
Commands to detect potential exploitation attempts could include network traffic inspection or API request logging filtering for such POST requests. For example, using curl or similar tools to query logs or monitor API usage.
- Check API logs for POST requests to /api/*/rules/realm or /api/*/rules/asset with payloads containing "lang":"JAVASCRIPT".
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze HTTP POST requests to the above endpoints.
- Example command to search logs for suspicious JavaScript rules creation: grep -i 'POST /api/.*/rules/.*' /var/log/openremote/api.log | grep '"lang":"JAVASCRIPT"'
- If you have access to the database, query for rulesets with JavaScript language set, e.g., SELECT * FROM rulesets WHERE lang = 'JAVASCRIPT';
Since the vulnerability allows arbitrary code execution, monitoring for unusual system activity or unexpected JVM process behavior may also help detect exploitation.