OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint
Description
OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.25.0
Patches
Vulnerability mechanics
Root cause
"The bulk removeAlarms() method omits per-alarm realm-scoping validation, allowing any authenticated user with alarm-write permissions to delete alarms belonging to other tenants by supplying arbitrary alarm IDs."
Attack vector
An attacker with any authenticated account in any realm can enumerate sequential auto-increment alarm IDs (CWE-639) by observing 404 vs 200 response codes on bulk delete requests. Once valid cross-tenant IDs are identified, a single DELETE request to `/api/smartcity/alarm` with those IDs permanently deletes alarms belonging to other tenants. The `removeAlarms()` method only checks that the caller's own realm is active, which is trivially satisfied for any authenticated user, and never validates that the targeted alarm IDs belong to the caller's realm.
Affected code
The vulnerability resides in `AlarmResourceImpl.java` and `AlarmService.java`. The `removeAlarms()` method in `AlarmResourceImpl.java` omits per-alarm realm-scoping validation, and the underlying service methods `getAlarms(List)` and `removeAlarms()` in `AlarmService.java` contain no realm filter in their JPA queries.
What the fix does
The advisory contrasts the correct singular `removeAlarm()` method, which validates `isRealmActiveAndAccessible(alarm.getRealm())` per alarm, with the vulnerable plural `removeAlarms()` method that only checks the caller's own realm. The fix would require adding a per-alarm realm check in the bulk deletion path, similar to the singular method, and adding a realm filter to the JPA queries in `AlarmService.getAlarms(List)` and `AlarmService.removeAlarms()`.
Preconditions
- authAttacker must have an authenticated account in any realm on the target OpenRemote installation
- authAttacker's account must have alarm-write permissions in their own realm
- inputAlarm IDs are sequential auto-increment Long values, making them enumerable
- networkAttack is performed remotely over the network
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrfmitrevendor-advisory
- www.vulncheck.com/advisories/openremote-cross-tenant-idor-in-bulk-alarm-deletionmitrethird-party-advisory
News mentions
0No linked articles in our index yet.