OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration. | |
| Title | OpenRemote < 1.26.0 SQL Injection via Crosstab Export | |
| First Time appeared |
Openremote
Openremote openremote |
|
| Weaknesses | CWE-89 | |
| CPEs | cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openremote
Openremote openremote |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T10:28:10.902Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62238
Updated: 2026-07-17T10:27:49.099Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T03:15:05Z