CVE-2026-40882
XXE Vulnerability in OpenRemote Velbus Import Causes File Disclosure
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openremote | openremote | to 1.22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to trigger XML external entity processing, potentially leading to server-side file disclosure and server-side request forgery (SSRF). Such unauthorized disclosure of sensitive files could result in exposure of personal or protected data.
Exposure of sensitive data through this vulnerability may impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access and disclosure.
However, the vulnerability requires authentication and the target file must be less than 1023 characters, which may limit the scope of data exposure.
Upgrading to version 1.22.0, which fixes the issue, is necessary to maintain compliance and reduce risk.
Can you explain this vulnerability to me?
This vulnerability exists in OpenRemote, an open-source internet-of-things platform, specifically in versions prior to 1.22.0. The issue is in the Velbus asset import path, which parses XML data controlled by an attacker without proper protection against XML External Entity (XXE) attacks. An authenticated user who can access the import endpoint can exploit this by triggering XML external entity processing.
This can lead to server-side file disclosure and Server-Side Request Forgery (SSRF), allowing the attacker to read files on the server (limited to files smaller than 1023 characters) or make unauthorized requests from the server.
The vulnerability was fixed in version 1.22.0 by adding explicit XXE hardening.
How can this vulnerability impact me? :
Exploitation of this vulnerability can have several impacts:
- Disclosure of sensitive server-side files that are smaller than 1023 characters, potentially exposing confidential information.
- Server-Side Request Forgery (SSRF), which may allow attackers to make unauthorized requests from the server to internal or external systems, potentially leading to further compromise.
- Integrity and availability impacts, as indicated by the CVSS score, including partial loss of integrity and availability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in OpenRemote version 1.22.0. Immediate mitigation involves upgrading your OpenRemote installation to version 1.22.0 or later.
Until the upgrade can be performed, restrict access to the import endpoint to only trusted authenticated users to reduce the risk of exploitation.