SCA: security update for io.openremote:openremote-manager (GHSA-7mqr-33rv-p3mp)

critical Tenable Self-Hosted Container Security Plugin ID 440358

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression
injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The
JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without
sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only
restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the
write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is
defined but never registered, as the registration code is commented out, rendering the SandboxTransformer
ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can
create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root,
arbitrary file read, environment variable theft including database credentials, and complete multi-tenant
isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0.
(CVE-2026-39842)

Solution

Update the io.openremote:openremote-manager library and its related packages to version 1.22.0 or later.

See Also

https://github.com/advisories/GHSA-7mqr-33rv-p3mp

Plugin Details

Severity: Critical

ID: 440358

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/15/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-39842

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/14/2026

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-39842