Insecure Direct Object Reference in OpenRemote's Bulk Alarm Deletion Endpoint
CVE-2026-56120

8.6HIGH

Key Information:

Vendor: Openremote
Status: Openremote
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-56120?

The version of OpenRemote prior to 1.25.0 contains an insecure direct object reference vulnerability within the bulk alarm deletion functionality. Authenticated users can exploit this flaw to permanently delete alarms belonging to other tenants by providing arbitrary alarm IDs. The key issue arises from the removeAlarms() method, which fails to apply proper realm-scoping validation, allowing users with alarm-write permissions to iterate over sequential auto-incremented alarm IDs and delete alarms without proper authorization checks.

Affected Version(s)

openremote 0

References

https://github.com/openremote/openremote/releases/tag/1.25.0

release-notespatch

https://github.com/openremote/openremote/security/advisor...

vendor-advisory

https://www.vulncheck.com/advisories/openremote-idor-via-...

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

Tulkin Urinbaev (@Forklit)

Vladyslav Koniakhin (@vladkoniakhinmob)

CVE-2026-56120 Data

JSON

Openremote

What is CVE-2026-56120?

Affected Version(s)

References

CVSS V4

Timeline

Credit