Skip to main content

OpenRemote Manager CVE-2026-41166

| EUVDEUVD-2026-25096 HIGH
Improper Access Control (CWE-284)
2026-04-22 https://github.com/openremote/openremote GHSA-49vv-25qx-mg44
7.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.0 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 13:10 nvd
Patch available
Patch available
Apr 22, 2026 - 22:02 EUVD
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 15:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:39 euvd
EUVD-2026-25096
Analysis Generated
Apr 22, 2026 - 14:39 vuln.today
CVE Published
Apr 22, 2026 - 14:38 nvd
HIGH 7.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on io.openremote:openremote-manager (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.22.1.

DescriptionGitHub Advisory

Summary

A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the {realm} path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to master realm administrator if the attacker controls any user in master realm.

Details

In manager/src/main/java/org/openremote/manager/security/UserResourceImpl.java, there is no check to validate if the caller should be able to administer a realm they're trying to update.

340:353:manager/src/main/java/org/openremote/manager/security/UserResourceImpl.java
    @Override
    public void updateUserRealmRoles(RequestParams requestParams, String realm, String userId, String[] roles) {
        try {
            identityService.getIdentityProvider().updateUserRealmRoles(
                realm,
                userId,
                roles);
        } catch (ClientErrorException ex) {
            ex.printStackTrace(System.out);
            throw new WebApplicationException(ex.getCause(), ex.getResponse().getStatus());
        } catch (Exception ex) {
            throw new WebApplicationException(ex);
        }
    }

PoC

  1. Create a new Keycloak realm other than master. Add a user and grant that user the OpenRemote client role write:admin. Remember the realm name (call it NEW_REALM).
  2. In Keycloak realm master, pick a low-privilege user (no admin realm role). Copy that user’s UUID (<master-user-uuid>).
  3. Authenticate as the user from step 1 and obtain a Bearer access token (<token>) for NEW_REALM.
  4. Replace placeholders and run:
bash
curl -k -X PUT "https://<host>/api/<NEW_REALM>/user/master/userRealmRoles/<master-user-uuid>" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '["admin"]'
  1. In the Keycloak Admin Console, realm master, that user, Role mapping. Confirm the admin realm role is assigned.

Impact

An attacker with the OpenRemote client role write:admin in any realm can call this API with {realm} set to another realm (for example master) and change Keycloak realm roles for users there. That can grant admin on master to a user UUID they target, which gives Keycloak administrator access for the master realm.

AnalysisAI

OpenRemote Manager allows privilege escalation to Keycloak master realm administrator through improper authorization in the Manager API. Users with write:admin permission in any non-master realm can manipulate realm role assignments in other realms, including master, by exploiting missing authorization checks in the updateUserRealmRoles endpoint. An attacker controlling any user in the master realm can grant themselves admin privileges, achieving full Keycloak administrator access. Vendor-released patch version 1.22.1 addresses this vulnerability. No public exploit code identified at time of analysis, though a detailed proof-of-concept is documented in the advisory.

Technical ContextAI

OpenRemote Manager (pkg:maven/io.openremote:openremote-manager) is a Java-based IoT platform that integrates with Keycloak for identity and access management across multiple realms. The vulnerability exists in the UserResourceImpl.java REST API handler, specifically the updateUserRealmRoles method. This endpoint accepts a {realm} path parameter but fails to validate whether the authenticated caller has administrative privileges for that target realm - a classic CWE-284 (Improper Access Control) flaw. The Java code directly forwards the realm parameter to identityService.getIdentityProvider().updateUserRealmRoles() without checking if the caller's write:admin permission scope includes that realm. In Keycloak's multi-tenant architecture, realm isolation is security-critical; the master realm has elevated privileges to manage all other realms. By exploiting this missing authorization boundary check, an attacker with write:admin in realm A can issue API calls targeting realm B (including master), effectively bypassing Keycloak's intended realm isolation model.

RemediationAI

Upgrade OpenRemote Manager to version 1.22.1 or later, which implements proper authorization checks to validate that callers can only administer realms for which they have appropriate permissions. The patch is available via the GitHub release at https://github.com/openremote/openremote/releases/tag/1.22.1 and advisory at https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44. For environments unable to immediately upgrade, implement compensating controls by restricting network access to the Manager API endpoint /api/{realm}/user/{target-realm}/userRealmRoles/{userId} to only trusted administrator networks or localhost, though this significantly degrades functionality. Alternatively, use a reverse proxy or API gateway to enforce additional authorization checks verifying that the authenticated user's realm matches the {target-realm} path parameter before forwarding requests to the Manager API - however this requires custom development and thorough testing to avoid breaking legitimate cross-realm administrative workflows. Audit existing Keycloak realm role assignments, particularly in the master realm, for unauthorized admin role grants that may indicate prior exploitation. Review application logs for suspicious PUT requests to /api/*/user/master/userRealmRoles/* paths originating from non-master realm authentication contexts.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-41166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy