CVE-2026-56784
Deferred Deferred - Pending Action
Insecure Direct Object Reference in OpenRemote Manager Allows Cross-Tenant Alarm Deletion

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56784
EUVD
EUVD-2026-38444
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openremote manager to 1.24.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an insecure direct object reference (IDOR) in OpenRemote Manager versions before 1.24.2, specifically in the bulk alarm deletion method called removeAlarms().

Authenticated users can delete alarms belonging to other tenants by supplying arbitrary alarm IDs because the method does not verify if the alarms belong to the caller's tenant realm.

This flaw allows cross-tenant permanent deletion of safety-critical and security alerts, as alarm IDs are sequential and easily enumerable.

Compliance Impact

The vulnerability allows authenticated users to delete alarms belonging to other tenants, including safety-critical and security alerts, resulting in permanent data loss and cross-tenant data destruction.

Such unauthorized deletion and cross-tenant data access could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and tenant isolation.

Because the vulnerability enables cross-tenant permanent destruction of security-related data without proper authorization checks, it undermines compliance with standards that mandate data confidentiality, integrity, and tenant data segregation.

Impact Analysis

The vulnerability allows an authenticated user to permanently delete alarms from other tenants, including safety-critical and security-related alerts.

This can lead to loss of important security and safety data, potentially compromising the monitoring and alerting capabilities of affected tenants.

Because alarm IDs are easily enumerable, an attacker can systematically delete alarms across tenants, causing widespread data destruction.

Detection Guidance

This vulnerability can be detected by attempting to enumerate alarm IDs and testing if an authenticated user can delete alarms belonging to other tenants by supplying arbitrary alarm IDs to the bulk alarm deletion endpoint.

Since alarm IDs are sequential auto-increment values, you can try to list or guess alarm IDs outside your tenant's realm and attempt deletion using the bulk removeAlarms() method.

A possible approach is to use authenticated API calls to the bulk alarm deletion endpoint with alarm IDs that do not belong to your tenant and observe if the deletion succeeds.

Specific commands depend on the API or interface exposed by OpenRemote Manager, but generally, you could use curl or similar tools to send authenticated POST requests to the bulk alarm deletion endpoint with arbitrary alarm IDs.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade OpenRemote Manager to version 1.24.2 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict alarm write permissions to trusted users only and monitor alarm deletion activities closely to detect any unauthorized deletions.

Consider implementing additional access controls or network segmentation to limit authenticated users' ability to access the bulk alarm deletion endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart