CVE-2026-54640: OpenRemote KNXProtocol XXE Arbitrary File Read
An incomplete security fix left the KNX asset import handler in OpenRemote unprotected against XML External Entity injection, letting any logged-in user read sensitive files off the server by uploadin
The problem
OpenRemote's `KNXProtocol.startAssetImport()` processes user-uploaded ETS project ZIP files and parses the embedded `0.xml` through two separate XML engines: Saxon's `TransformerFactoryImpl` and the JDK's `XMLInputFactory`. Neither has DTD or external-entity restrictions applied.
The prior fix for CVE-2026-40882 hardened `AbstractVelbusProtocol` with five blocking features on `DocumentBuilderFactory`, but `KNXProtocol` was never updated. Any authenticated user (no admin role required) can reach the import endpoint at `POST /api/{realm}/agent/{agentId}/import` and trigger both vulnerable code paths.
Proof of concept
A working proof-of-concept for CVE-2026-54640 in io.openremote:openremote-agent, with the exact payload below.
<!-- 0.xml inside attacker-crafted ETS project ZIP -->
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root><data>&xxe;</data></root>The payload works because `XMLInputFactory.newInstance()` (KNXProtocol.java line 249) is created with no call to `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` or `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)`. The JDK default allows DTD parsing and external entity resolution, so the `file://` URI is fetched and its contents flow into the parsed element text.
Saxon's `TransformerFactoryImpl` (lines 233-245) also resolves external entities in the source document by default, giving a second independent read path through the XSLT transform stage.
The patch (commit c28d3c60) mirrors the `createSecureDocumentBuilderFactory()` pattern from `AbstractVelbusProtocol` by disabling DTD and external-entity support on both parsers in `KNXProtocol`. CWE-611: Improper Restriction of XML External Entity Reference.
The fix
Upgrade `io.openremote:openremote-agent` to version 1.24.2 or later. The fix commit c28d3c60ebc2da68d9b6c4a6d7a5ad875a255ee9 adds explicit XXE-blocking properties to both the Saxon transformer factory and the `XMLInputFactory` instance in `KNXProtocol.java`, consistent with the hardening already applied to `AbstractVelbusProtocol`.
Related research
- high · 7.7CVE-2026-54641CVE-2026-54641: OpenRemote Manager Cross-Realm User Information Disclosure
- highCVE-2026-53712CVE-2026-53712: scram-client SCRAM Channel-Binding Silent Authentication Downgrade
- high · 7.5CVE-2026-46487CVE-2026-46487: GeoNetwork Elasticsearch Search ACL Bypass via Missing Query Field
- highCVE-2026-47424CVE-2026-47424: OpenAM Authenticated Groovy Sandbox Escape to RCE