CVE-2026-41166
Awaiting Analysis Awaiting Analysis - Queue

Privilege Escalation in OpenRemote Keycloak Manager API

Vulnerability report for CVE-2026-41166, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-07-06
AI Q&A
2026-04-23
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openremote openremote to 1.22.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenRemote, an open-source internet-of-things platform, prior to version 1.22.1. A user who has the 'write:admin' permission in one Keycloak realm can exploit the Manager API to update Keycloak realm roles for users in another realm, including the highly privileged 'master' realm. The issue arises because the API handler uses the realm path segment when communicating with the identity provider but does not verify whether the caller has administrative rights for that specific realm. This flaw can lead to privilege escalation, allowing an attacker controlling any user in the 'master' realm to gain master realm administrator privileges.

Impact Analysis

The vulnerability can lead to privilege escalation, where an attacker with limited administrative rights in one realm can gain full administrative control over the 'master' realm in Keycloak. This elevated access can allow the attacker to modify user roles and permissions across realms, potentially compromising the security and integrity of the entire system. Such unauthorized access can result in data breaches, unauthorized configuration changes, and disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenRemote to version 1.22.1 or later, where the issue has been fixed.

Additionally, review and restrict users with `write:admin` permissions in Keycloak realms to minimize the risk of privilege escalation.

Compliance Impact

This vulnerability allows privilege escalation to a master realm administrator by exploiting insufficient authorization checks in the OpenRemote platform's integration with Keycloak. Such unauthorized privilege escalation can lead to unauthorized access and modification of sensitive user roles and data.

Consequently, this could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data. Failure to properly restrict administrative privileges may result in unauthorized data access or modification, potentially leading to violations of these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart