CVE-2026-40882

HighPublic PoC

Published: 22 April 2026

Published

22 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

EPSS Score 0.0007 20.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40882 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Openremote Openremote. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents XXE attacks by enforcing validation of attacker-controlled XML inputs to block external entity processing.

SI-2 Flaw Remediation good match

prevent

Remediates the specific XXE flaw in the Velbus asset import path by applying the patch to OpenRemote version 1.22.0.

CM-6 Configuration Settings partial match

prevent

Ensures secure configuration settings for XML parsers to disable external entities and mitigate XXE exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

XXE in public-facing web import endpoint directly enables T1190 exploitation; server-side file disclosure maps to T1005; SSRF enables internal network service probing for T1046.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead…

to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.

Deeper analysisAI

CVE-2026-40882 is an XML External Entity (XXE) vulnerability, classified under CWE-611, affecting OpenRemote, an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML input without explicit XXE hardening, enabling XML external entity processing that leads to server-side file disclosure and Server-Side Request Forgery (SSRF). The target file for disclosure must be less than 1023 characters in length. The vulnerability was published on 2026-04-22 and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

An authenticated user with privileges to call the import endpoint can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation triggers XXE processing, allowing the attacker to disclose sensitive server-side files up to 1023 characters and perform SSRF attacks, resulting in high confidentiality impact alongside low integrity and availability impacts.

The official OpenRemote security advisory at GHSA-g24f-mgc3-jwwc documents the issue and confirms that upgrading to version 1.22.0 addresses the vulnerability by implementing proper XXE protections in the Velbus asset import path.