CVE-2026-40882
Awaiting Analysis Awaiting Analysis - Queue
XXE Vulnerability in OpenRemote Velbus Import Causes File Disclosure

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openremote openremote to 1.22.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenRemote, an open-source internet-of-things platform, specifically in versions prior to 1.22.0. The issue is in the Velbus asset import path, which parses XML data controlled by an attacker without proper protection against XML External Entity (XXE) attacks. An authenticated user who can access the import endpoint can exploit this by triggering XML external entity processing.

This can lead to server-side file disclosure and Server-Side Request Forgery (SSRF), allowing the attacker to read files on the server (limited to files smaller than 1023 characters) or make unauthorized requests from the server.

The vulnerability was fixed in version 1.22.0 by adding explicit XXE hardening.

Impact Analysis

Exploitation of this vulnerability can have several impacts:

  • Disclosure of sensitive server-side files that are smaller than 1023 characters, potentially exposing confidential information.
  • Server-Side Request Forgery (SSRF), which may allow attackers to make unauthorized requests from the server to internal or external systems, potentially leading to further compromise.
  • Integrity and availability impacts, as indicated by the CVSS score, including partial loss of integrity and availability.
Mitigation Strategies

The vulnerability is fixed in OpenRemote version 1.22.0. Immediate mitigation involves upgrading your OpenRemote installation to version 1.22.0 or later.

Until the upgrade can be performed, restrict access to the import endpoint to only trusted authenticated users to reduce the risk of exploitation.

Compliance Impact

This vulnerability allows an authenticated user to trigger XML external entity processing, potentially leading to server-side file disclosure and server-side request forgery (SSRF). Such unauthorized disclosure of sensitive files could result in exposure of personal or protected data.

Exposure of sensitive data through this vulnerability may impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access and disclosure.

However, the vulnerability requires authentication and the target file must be less than 1023 characters, which may limit the scope of data exposure.

Upgrading to version 1.22.0, which fixes the issue, is necessary to maintain compliance and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40882. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart