1.22.1
1.22.0
CVE-2026-39842 affects the OpenRemote IoT platform, specifically its rules engine. This vulnerability allows attackers to inject malicious expressions, leading to arbitrary code execution on the server and potential full system compromise. The vulnerability impacts versions 1.21.0 through <1.22.0. A fix is available in version 1.22.0.
The core of this vulnerability lies in the OpenRemote platform's use of an unsandboxed Nashorn JavaScript engine. JavaScript rules, which control device behavior and system logic, are executed using ScriptEngine.eval() without any sandboxing, class filtering, or access restrictions. Critically, any user with the write:rules role (not requiring superuser privileges) can create and deploy these malicious JavaScript rulesets. An attacker could craft a JavaScript rule that executes arbitrary system commands, allowing them to gain control of the OpenRemote server and potentially access sensitive data, modify device configurations, or even pivot to other systems on the network.
Furthermore, while a Groovy sandbox exists, it's inactive, providing no protection. This combination of factors creates a highly exploitable scenario. The potential blast radius is significant, as a compromised OpenRemote server could expose all connected IoT devices and the data they generate. Successful exploitation could lead to data breaches, denial of service, and complete control over the IoT infrastructure.
CVE-2026-39842 was published on 2026-04-14. Its criticality (CVSS 10) indicates a high probability of exploitation. There is currently no indication of active exploitation campaigns targeting this vulnerability, but the ease of exploitation and the potential impact suggest it will likely become a target. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and the availability of Nashorn scripting.
エクスプロイト状況
EPSS
0.06% (18% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-39842 is to immediately upgrade OpenRemote to version 1.22.0 or later, which addresses the expression injection vulnerabilities. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the write:rules role to only trusted administrators. Implement strict input validation on all user-supplied data used in rules, although this is difficult to implement effectively given the Nashorn engine's capabilities. Consider deploying a Web Application Firewall (WAF) with rules to detect and block suspicious JavaScript code patterns, although bypassing such rules is likely possible.
After upgrading to version 1.22.0, verify the fix by attempting to create a JavaScript rule that executes a simple system command (e.g., whoami or hostname) and confirming that the command fails to execute. Monitor OpenRemote logs for any unusual activity or error messages related to rule execution.
式インジェクションの脆弱性を軽減するために、OpenRemoteをバージョン1.22.0以降にアップデートしてください。このアップデートは、JavaScriptルールエンジンのサンドボックス化とアクセス制限の欠如を修正し、リモートコード実行を防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
It's a critical vulnerability in OpenRemote's rules engine allowing attackers to execute arbitrary code on the server via expression injection, potentially leading to full system compromise.
If you are running OpenRemote versions 1.21.0 through <1.22.0, you are potentially affected. Assess your environment and prioritize patching.
Upgrade OpenRemote to version 1.22.0 or later. If immediate upgrade isn't possible, restrict access to the 'write:rules' role and consider WAF rules.
There's no current evidence of active exploitation, but the vulnerability's severity makes it a likely target. Monitor your systems closely.
Refer to the OpenRemote security advisory and the NVD entry for CVE-2026-39842 for detailed information and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。