CVE-2026-57168

CVE-2026-57168 is a critical-severity security vulnerability in io.openremote:openremote-manager (maven), affecting versions < 1.25.0. It is fixed in 1.25.0.

Summary

OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct
Object Reference (IDOR) in the bulk alarm deletion endpoint. An
authenticated user in any realm can delete alarms belonging to other
realms (tenants) by supplying arbitrary alarm IDs. The vulnerability
exists because the bulk removeAlarms() method only verifies that the
caller's own realm is active and accessible, but never checks whether
the targeted alarm IDs belong to the caller's realm before deleting
them.

This allows any user with alarm write permissions in their own realm
to permanently destroy alarm records, including safety-critical and
security alerts, belonging to any other tenant on the same OpenRemote
installation.

[Additional Information]
The singular removeAlarm() method correctly validates that the
target alarm's realm matches the caller's access:

// CORRECT (singular):
SentAlarm alarm = alarmService.getAlarm(alarmId);
if (!isRealmActiveAndAccessible(alarm.getRealm())) {
    throw new ForbiddenException(...);
}

The plural removeAlarms() method is missing this per-alarm realm
check and only validates the caller's own realm, a check that is
trivially satisfied for any authenticated user:

 // VULNERABLE (plural):
public void removeAlarms(RequestParams requestParams, List<Long> alarmIds) {
    if (!isRealmActiveAndAccessible(getAuthenticatedRealmName())) {  
        throw new ForbiddenException(...);  // always passes for any auth user
    }
    List<SentAlarm> alarms = alarmService.getAlarms(alarmIds);  // no realm filter
    alarmService.removeAlarms(alarms, alarmIds);                // no realm filter
}

The underlying service queries contain no realm scoping:

 // AlarmService.getAlarms(List<Long>):
 "select sa from SentAlarm sa where sa.id in :ids"
 // no realm filter

 // AlarmService.removeAlarms():
 "delete from SentAlarm sa where sa.id in :ids"
 // no realm filter

Alarm IDs are sequential auto-increment Long values (JPA
@GeneratedValue), making them trivially enumerable.

[Vulnerability Type]
Insecure Direct Object Reference (IDOR) / Missing Authorization
CWE-639: Authorization Bypass Through User-Controlled Key
CWE-862: Missing Authorization

[Vendor of Product]
OpenRemote Inc. (openremote.io)

[Affected Product Code Base]
OpenRemote Manager - current version as of 2026
(github.com/openremote/openremote)

[Affected Component]
org.openremote.manager.alarm.AlarmResourceImpl#removeAlarms()
org.openremote.manager.alarm.AlarmService#getAlarms(List)
org.openremote.manager.alarm.AlarmService#removeAlarms()

File: manager/src/main/java/org/openremote/manager/alarm/AlarmResourceImpl.java
File: manager/src/main/java/org/openremote/manager/alarm/AlarmService.java

[Attack Type]
Remote (authenticated)

[CVE Impact Other]
Cross-tenant permanent destruction of alarm records, including
safety-critical and security alerts in IoT environments. Also enables
cross-tenant alarm enumeration (presence disclosure of alarm IDs
across all tenants).

[Attack Vectors]

  1. Attacker registers or obtains any low-privilege account in any realm
    on the target OpenRemote installation (or uses an existing account).
  2. Attacker enumerates alarm IDs belonging to other realms by sending
    bulk delete requests with sequential IDs (presence confirmed by
    404 vs 200 response codes).
  3. Attacker issues a single bulk delete request containing IDs of
    alarms belonging to victim realm(s).
  4. Alarms are permanently deleted with no authorization error.

PoC:

Tenant A (attacker) : realm = "tenant-a"
                      user  = [email protected]
                      role  = WRITE_ALARMS_ROLE

Tenant B (victim)   : realm = "tenant-b"
                      alarms with IDs 1174,1173, 1180 exist
DELETE /api/smartcity/alarm HTTP/2
Content-Type: application/json


[1174,1173, 1180]  /// <- alarm ID 

Impact

CVE-2026-57168 has a CVSS score of 9.6 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.25.0); upgrading removes the vulnerable code path.

Affected versions

io.openremote:openremote-manager (< 1.25.0)

Security releases

io.openremote:openremote-manager → 1.25.0 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade io.openremote:openremote-manager to 1.25.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-57168? CVE-2026-57168 is a critical-severity security vulnerability in io.openremote:openremote-manager (maven), affecting versions < 1.25.0. It is fixed in 1.25.0.
  2. How severe is CVE-2026-57168? CVE-2026-57168 has a CVSS score of 9.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of io.openremote:openremote-manager are affected by CVE-2026-57168? io.openremote:openremote-manager (maven) versions < 1.25.0 is affected.
  4. Is there a fix for CVE-2026-57168? Yes. CVE-2026-57168 is fixed in 1.25.0. Upgrade to this version or later.
  5. Is CVE-2026-57168 exploitable, and should I be worried? Whether CVE-2026-57168 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-57168 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-57168? Upgrade io.openremote:openremote-manager to 1.25.0 or later.

Other vulnerabilities in io.openremote:openremote-manager

CVE-2026-41166CVE-2026-40882CVE-2026-39842

Stop the waste.
Protect your environment with Kodem.