OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 17 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through the asset name parameter and receive query results in the exported CSV response, enabling database data exfiltration. | |
| Title | OpenRemote < 1.26.0 SQL Injection via Crosstab Export | |
| First Time appeared |
Openremote
Openremote openremote |
|
| Weaknesses | CWE-89 | |
| CPEs | cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openremote
Openremote openremote |
|
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T00:07:12.425Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62238
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T03:15:05Z
Weaknesses