CVE-2026-41166
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation in OpenRemote Keycloak Manager API

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41166
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openremote openremote to 1.22.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenRemote, an open-source internet-of-things platform, prior to version 1.22.1. A user who has the 'write:admin' permission in one Keycloak realm can exploit the Manager API to update Keycloak realm roles for users in another realm, including the highly privileged 'master' realm. The issue arises because the API handler uses the realm path segment when communicating with the identity provider but does not verify whether the caller has administrative rights for that specific realm. This flaw can lead to privilege escalation, allowing an attacker controlling any user in the 'master' realm to gain master realm administrator privileges.

Impact Analysis

The vulnerability can lead to privilege escalation, where an attacker with limited administrative rights in one realm can gain full administrative control over the 'master' realm in Keycloak. This elevated access can allow the attacker to modify user roles and permissions across realms, potentially compromising the security and integrity of the entire system. Such unauthorized access can result in data breaches, unauthorized configuration changes, and disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenRemote to version 1.22.1 or later, where the issue has been fixed.

Additionally, review and restrict users with `write:admin` permissions in Keycloak realms to minimize the risk of privilege escalation.

Compliance Impact

This vulnerability allows privilege escalation to a master realm administrator by exploiting insufficient authorization checks in the OpenRemote platform's integration with Keycloak. Such unauthorized privilege escalation can lead to unauthorized access and modification of sensitive user roles and data.

Consequently, this could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data. Failure to properly restrict administrative privileges may result in unauthorized data access or modification, potentially leading to violations of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart