PatchSiren cyber security CVE debrief
CVE-2026-62238 openremote CVE debrief
CVE-2026-62238 is an authenticated SQL injection vulnerability in OpenRemote before 1.26.0. The vulnerability exists in the datapoint crosstab export endpoint, which constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration. This vulnerability has a high impact on the confidentiality and integrity of the affected systems.
- Vendor
- openremote
- Product
- Unknown
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of OpenRemote before version 1.26.0 should be aware of this vulnerability and take steps to mitigate it. This includes administrators and users with asset creation or rename permissions. They should be cautious when dealing with this vulnerability and consider the potential impact on their systems.
Technical summary
The datapoint crosstab export endpoint in OpenRemote before 1.26.0 is vulnerable to authenticated SQL injection. The endpoint constructs PostgreSQL queries by concatenating asset display names into raw SQL, allowing an attacker to inject malicious SQL code. This can be exploited by an authenticated attacker with asset creation or rename permissions, who can inject SQL through the asset name parameter and receive query results in the exported CSV response. The vulnerability is caused by the lack of input validation and sanitization in the endpoint.
Defensive priority
High
Recommended defensive actions
- Upgrade OpenRemote to version 1.26.0 or later
- Restrict asset creation and rename permissions to trusted users
- Monitor for suspicious activity on the datapoint crosstab export endpoint
- Implement additional security controls, such as input validation and sanitization
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-17T02:18:11.613Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide additional details about the vulnerability, and the NVD entry is also limited. Defenders should be cautious when dealing with this vulnerability and consider the potential impact on their systems.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:11.613Z and has not been modified since then.