CVE-2026-39842

Name of the Vulnerable Software and Affected Versions OpenRemote versions 1.21.0 and earlier

Description Two interrelated expression injection issues in the rules engine allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via the ScriptEngine.eval() function of Nashorn without sandboxing, class filtering, or access restrictions. An authorization flaw in RulesResourceImpl restricts Groovy rules to superusers but leaves JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine contains a GroovyDenyAllFilter security filter that is defined but not registered, rendering the SandboxTransformer ineffective for superuser-created Groovy rules.

Attackers with the write:rules role can use the following API endpoints to execute malicious scripts:

Exploitation allows for remote code execution as root, arbitrary file reading, theft of environment variables (including database credentials), and a complete bypass of multi-tenant isolation to access data across all realms. This is achieved by using Java.type() to access JVM classes such as java.lang.Runtime, java.io.FileReader, and java.lang.System, or by using Java reflection to bypass the AssetsFacade realm enforcement.

Recommendations Update OpenRemote to version 1.22.0.