CVE-2026-40882

Name of the Vulnerable Software and Affected Versions OpenRemote versions prior to 1.22.0

Description The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity (XXE) processing, which is a technique where an application processes external entities within an XML document, potentially allowing access to unauthorized data. This can lead to server-side request forgery (SSRF) and server-side file disclosure, provided the target file is less than 1023 characters. The issue occurs because the DocumentBuilderFactory.newInstance().newDocumentBuilder().parse() function is used on untrusted XML input without safeguards to disable DTD or external entities. The affected API endpoint is '/api/{realm}/agent/assetImport/{agentId}'.

Recommendations Update to version 1.22.0.