OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.
History

Fri, 17 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
Description OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.
Title OpenRemote < 1.26.0 SQL Injection via Crosstab Export
First Time appeared Openremote
Openremote openremote
Weaknesses CWE-89
CPEs cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:*
Vendors & Products Openremote
Openremote openremote
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-17T00:07:12.425Z

Reserved: 2026-07-13T16:41:09.007Z

Link: CVE-2026-62238

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T03:15:05Z