CVE-2026-62238
Received Received - Intake

Authenticated SQL Injection in OpenRemote via Asset Name Parameter

Vulnerability report for CVE-2026-62238, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openremote openremote to 1.26.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an authenticated SQL injection vulnerability in OpenRemote versions before 1.26.0. It occurs in the datapoint crosstab export endpoint where asset display names are directly concatenated into raw PostgreSQL queries without proper escaping. An attacker with asset creation or rename permissions can inject malicious SQL code through the asset name parameter. The injected queries are executed and their results returned in the CSV export response, enabling database data exfiltration.

Detection Guidance

To detect this vulnerability, check if your OpenRemote instance is running a version before 1.26.0. Review logs for unusual SQL query patterns or failed export attempts. Look for asset names containing SQL metacharacters or suspicious characters in datapoint export responses.

Impact Analysis

An attacker could steal sensitive data from your database by exploiting this vulnerability. They would need valid authentication and asset read/write permissions. In multi-tenant setups, they might access data outside their tenant if the database role has read access to shared tables. The impact includes potential data breaches, unauthorized data access, and compliance violations.

Compliance Impact

This vulnerability could lead to violations of GDPR, HIPAA, and other regulations due to unauthorized data access or exfiltration. GDPR requires protecting personal data, while HIPAA mandates safeguarding protected health information. A successful exploit could result in data breaches, triggering mandatory breach notifications and potential fines under these regulations.

Mitigation Strategies

Immediately upgrade OpenRemote to version 1.26.0 or later. If upgrading is not possible, restrict asset creation and renaming permissions to trusted users only. Monitor database access logs for unauthorized queries or data exfiltration attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart