Description
OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 17 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration. | |
| Title | OpenRemote < 1.26.0 SQL Injection via Crosstab Export | |
| First Time appeared |
Openremote
Openremote openremote |
|
| Weaknesses | CWE-89 | |
| CPEs | cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openremote
Openremote openremote |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T00:07:12.425Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62238
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T03:15:05Z
Weaknesses