CVE-2026-41166
Privilege Escalation in OpenRemote Keycloak Manager API
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openremote | openremote | to 1.22.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenRemote, an open-source internet-of-things platform, prior to version 1.22.1. A user who has the 'write:admin' permission in one Keycloak realm can exploit the Manager API to update Keycloak realm roles for users in another realm, including the highly privileged 'master' realm. The issue arises because the API handler uses the realm path segment when communicating with the identity provider but does not verify whether the caller has administrative rights for that specific realm. This flaw can lead to privilege escalation, allowing an attacker controlling any user in the 'master' realm to gain master realm administrator privileges.
How can this vulnerability impact me? :
The vulnerability can lead to privilege escalation, where an attacker with limited administrative rights in one realm can gain full administrative control over the 'master' realm in Keycloak. This elevated access can allow the attacker to modify user roles and permissions across realms, potentially compromising the security and integrity of the entire system. Such unauthorized access can result in data breaches, unauthorized configuration changes, and disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenRemote to version 1.22.1 or later, where the issue has been fixed.
Additionally, review and restrict users with `write:admin` permissions in Keycloak realms to minimize the risk of privilege escalation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows privilege escalation to a master realm administrator by exploiting insufficient authorization checks in the OpenRemote platform's integration with Keycloak. Such unauthorized privilege escalation can lead to unauthorized access and modification of sensitive user roles and data.
Consequently, this could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data. Failure to properly restrict administrative privileges may result in unauthorized data access or modification, potentially leading to violations of these regulations.