CVE-2026-56784 | OpenRemote Manager before 1.24.2 contains an insecure direct… | CVSS 8.3 HIGH

Description

OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.

Metadata

CVE ID: CVE-2026-56784
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-23 01:24 UTC
Published: 2026-06-23 12:13 UTC
Last updated: 2026-06-23 15:04 UTC
Primary CWE: CWE-639
Authorization Bypass Through User-Controlled Key
Vendor / Product: openremote / openremote
Sources: cve.org · NVD

Severity & Metrics

8.3 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
openremote	openremote	—	0 < 1.24.2, 1.24.2

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	Authorization Bypass Through User-Controlled Key

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.3	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
7.2	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

GitHub Security Advisory (GHSA-h3m5-97jq-qjrf) https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf
VulnCheck Advisory: OpenRemote Manager - Cross-Tenant IDOR in Bulk Alarm Deletion https://www.vulncheck.com/advisories/openremote-manager-cross-tenant-idor-in-bulk-alarm-deletion