【严重】OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)

安全速报 · 严重级:严重 · CVSS:9.6 · GHSA-h3m5-97jq-qjrf

漏洞概要

Summary

OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct
Object Reference (IDOR) in the bulk alarm deletion endpoint. An
authenticated user in any realm can delete alarms belonging to other
realms (tenants) by supplying arbitrary alarm IDs. The vulnerability
exists because the bulk removeAlarms() method only verifies that the
caller's own realm is active and accessible, but never checks whether
the targeted alarm IDs belong to the caller's realm before deleting
them.

This allows any user with alarm write permissions in their own realm
to permanently destroy alarm records — including safety-critical and
security alerts — belonging to any other tenant on the same OpenRemote
installation.

[Additional Information]
The singular removeAlarm() method correctly validates that the
target alarm's realm matches the caller's access:

// CORRECT (singular):
SentAlarm alarm = alarmService.getAlarm(alarmId);
if (!isRealmActiveAndAccessible(alarm.getRealm())) {
    throw new ForbiddenException(...);
}

The plural removeAlarms() method is missing this per-alarm realm
check and only validates the caller's own realm — a check that is
trivially satisfied for any authenticated user:

 // VULNERABLE (plural):
public void removeAlarms(RequestParams requestParams, List<Long> alarmIds) {
    if (!isRealmActiveAndAccessible(getAuthenticatedRealmName())) {  
        throw new ForbiddenException(...);  // always passes for any auth user
    }
    List<SentAlarm> alarms = alarmService.getAlarms(alarmIds);  // no realm filter
    alarmService.removeAlarms(alarms, alarmIds);                // no realm filter
}

The underlying service queries contain no realm scoping:

// AlarmService.getAlarms(List<Long>):
 "select sa from SentAlarm sa where sa.id in :ids"
 // no realm filter

 // AlarmService.removeAlarms():
 "delete from SentAlarm sa where sa.id in :ids"
 // no realm filter

Alarm IDs are sequential auto-increment Long values (JPA
@GeneratedValue), making them trivially enumerable.

[Vulnerability Type]
Insecure Direct Object Reference (IDOR) / Missing Authorization
CWE-639: Authorization Bypass Through User-Controlled Key
CWE-862: Missing Authorization

[Vendor of Product]
OpenRemote Inc. (openremote.io)

[Affected Product Code Base]
OpenRemote Manager - current version as of 2026
(github.com/openremote/openremote)

[Affected Component]
org.openremote.manager.alarm.AlarmResourceImpl#removeAlarms()
org.openremote.manager.alarm.AlarmService#getAlarms(List)
org.openremote.manager.alarm.AlarmService#removeAlarms()

File: manager/src/main/java/org/openremote/manager/alarm/AlarmResourceImpl.java
File: manager/src/main/java/org/openremote/manager/alarm/AlarmService.java

[Attack Type]
Remote (authenticated)

[CVE Impact Other]
Cross-tenant permanent destruction of alarm records, including
safety-critical and security alerts in IoT environments. Also enables
cross-tenant alarm enumeration (presence disclosure of alarm IDs
across all tenants).

[Attack Vectors]

1. Attacker registers or obtains any low-privilege account in any realm
   on the target OpenRemote installation (or uses an existing account).
2. Attacker enumerates alarm IDs belonging to other realms by sending
   bulk delete requests with sequential IDs (presence confirmed by
   404 vs 200 response codes).
3. Attacker issues a single bulk delete request containing IDs of
   alarms belonging to victim realm(s).
4. Alarms are permanently deleted with no authorization error.

PoC:

Tenant A (attacker) : realm = "tenant-a"
                      user  = attacker@tenant-a.com
                      role  = WRITE_ALARMS_ROLE

Tenant B (victim)   : realm = "tenant-b"
                      alarms with IDs 1174,1173, 1180 exist

DELETE /api/smartcity/alarm HTTP/2
Content-Type: application/json


[1174,1173, 1180]  /// <- alarm ID 

受影响组件

修复建议

升级 io.openremote:openremote-manager 至 1.24.2 或更高版本。

参考链接

• GitHub Advisory GHSA-h3m5-97jq-qjrf
• https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf
• https://github.com/openremote/openremote/blob/master/manager/src/main/java/org/openremote/manager/alarm/AlarmResourceImpl.java
• https://github.com/openremote/openremote/blob/master/manager/src/main/java/org/openremote/manager/alarm/AlarmService.java

本文基于 GitHub Advisory Database(CC-BY-4.0 授权)整理,数据来源已注明。