Cross-Tenant Alarm Deletion via Insecure Direct Object Reference

OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization.

Casky was already ahead

This CVE exploits attack patterns that Casky's 283matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

OpenRemote versions before 1.25.0 contain a critical insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to delete alarms belonging to other tenants. The vulnerability exists because the removeAlarms() method in AlarmResourceImpl.java fails to validate realm-scoping in its JPA query, meaning any user with alarm-write permissions can enumerate sequential auto-increment alarm IDs and permanently delete cross-tenant alarm records. This affects multi-tenant deployments where data isolation is essential, allowing attackers to disrupt monitoring, hide security events, or cause denial of service by removing critical alarm data they should never access.

Casky's 283 mapped security skills leverage Claude AI's extended reasoning to detect the attack patterns underlying this vulnerability across MITRE ATT&CK techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners using Casky would identify detection opportunities through skills aligned with object reference validation, authorization bypass detection, and cross-tenant boundary enforcement. The platform's skills would flag suspicious patterns such as: sequential or non-sequential alarm ID requests from single users, deletion attempts on alarms associated with different tenant contexts, and API calls to batch delete endpoints that bypass expected role-based access controls. By correlating these behavioral indicators with the missing realm-scoping validation, security teams can detect exploitation attempts before cross-tenant data destruction occurs, distinguishing legitimate administrative actions from adversarial enumeration and privilege escalation.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

283 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-56784.

abusing-dpapi-for-credential-access

red teaming · high

Run

abusing-shadow-credentials-for-privesc

red teaming · high

Run

Access with Stolen Session Cookie

identity access management · low

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-56784

Casky has 283 skills that investigate the attack patterns behind CVE-2026-56784. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn