CVE-2026-39842

CVE-2026-39842 affects OpenRemote, an open-source IoT platform, specifically versions 1.21.0 and below. The vulnerability consists of two interrelated expression injection flaws in the rules engine that enable arbitrary code execution on the server. The JavaScript rules engine invokes user-supplied scripts through Nashorn's ScriptEngine.eval() without any sandboxing, class filtering, or access restrictions. Meanwhile, the authorization logic in RulesResourceImpl limits Groovy rules to superusers but leaves JavaScript rules accessible to any user with the write:rules role. Additionally, the Groovy rules engine defines a GroovyDenyAllFilter security measure, but its registration code is commented out, making the SandboxTransformer ineffective for superuser-created Groovy rules.

A non-superuser attacker with the write:rules role can exploit this by creating malicious JavaScript rulesets. These rulesets execute with unrestricted full JVM access, allowing remote code execution as root, arbitrary file reads, theft of environment variables including database credentials, and complete bypass of multi-tenant isolation to access data across all realms. The CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects its critical severity, linked to CWE-94 (Improper Control of Generation of Code) and CWE-917 (Improper Neutralization of Special Elements).

The OpenRemote security advisory (GHSA-7mqr-33rv-p3mp) and release notes for version 1.22.0 confirm the issue has been addressed in that update, recommending immediate upgrades for affected deployments.