Expression Injection Vulnerabilities in OpenRemote IoT Platform
CVE-2026-39842

10CRITICAL

Key Information:

Vendor: Openremote
Status: Openremote
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39842?

The OpenRemote IoT platform, specifically versions 1.21.0 and below, is impacted by two related expression injection vulnerabilities. These flaws exist within the rules engine, allowing unauthorized users to execute arbitrary code on the server. The JavaScript rules engine processes user-defined scripts via Nashorn's ScriptEngine.eval() without adequate sandboxing or security checks. This oversight enables attackers with the write:rules role to create JavaScript rulesets that can run with full Java Virtual Machine (JVM) access. Consequently, this can lead to remote code execution at the root level, unauthorized file access, and potential data exposure including sensitive information like database credentials. Although there are security filters for Groovy rules, they remain ineffective due to improper registration. This vulnerability has been addressed in version 1.22.0.

Affected Version(s)

openremote < 1.22.0

References

https://github.com/openremote/openremote/security/advisor...

x_refsource_CONFIRM

https://github.com/openremote/openremote/releases/tag/1.22.0

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39842 Data

JSON

Openremote

What is CVE-2026-39842?

Affected Version(s)

References

CVSS V3.1

Timeline