high · 7.6CVE-2026-54640Jul 6, 2026

CVE-2026-54640: OpenRemote KNXProtocol XXE Arbitrary File Read

Rohit Hatagale
AI Security Researcher, SecureLayer7

An incomplete security fix left the KNX asset import handler in OpenRemote unprotected against XML External Entity injection, letting any logged-in user read sensitive files off the server by uploadin

Packageio.openremote:openremote-agent
Ecosystemmaven
Affected<= 1.24.1
Fixed in1.24.2

The problem

OpenRemote's `KNXProtocol.startAssetImport()` processes user-uploaded ETS project ZIP files and parses the embedded `0.xml` through two separate XML engines: Saxon's `TransformerFactoryImpl` and the JDK's `XMLInputFactory`. Neither has DTD or external-entity restrictions applied.

The prior fix for CVE-2026-40882 hardened `AbstractVelbusProtocol` with five blocking features on `DocumentBuilderFactory`, but `KNXProtocol` was never updated. Any authenticated user (no admin role required) can reach the import endpoint at `POST /api/{realm}/agent/{agentId}/import` and trigger both vulnerable code paths.

Proof of concept

A working proof-of-concept for CVE-2026-54640 in io.openremote:openremote-agent, with the exact payload below.

http
<!-- 0.xml inside attacker-crafted ETS project ZIP -->
<?xml version="1.0"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root><data>&xxe;</data></root>

The payload works because `XMLInputFactory.newInstance()` (KNXProtocol.java line 249) is created with no call to `factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)` or `factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)`. The JDK default allows DTD parsing and external entity resolution, so the `file://` URI is fetched and its contents flow into the parsed element text.

Saxon's `TransformerFactoryImpl` (lines 233-245) also resolves external entities in the source document by default, giving a second independent read path through the XSLT transform stage.

The patch (commit c28d3c60) mirrors the `createSecureDocumentBuilderFactory()` pattern from `AbstractVelbusProtocol` by disabling DTD and external-entity support on both parsers in `KNXProtocol`. CWE-611: Improper Restriction of XML External Entity Reference.

The fix

Upgrade `io.openremote:openremote-agent` to version 1.24.2 or later. The fix commit c28d3c60ebc2da68d9b6c4a6d7a5ad875a255ee9 adds explicit XXE-blocking properties to both the Saxon transformer factory and the `XMLInputFactory` instance in `KNXProtocol.java`, consistent with the hardening already applied to `AbstractVelbusProtocol`.

Reporter not attributed.

References: [1][2][3]

Related research