Lucene search
+L

4 matches found

Cvelist
Cvelist
added 2026/04/22 8:31 p.m.31 views

CVE-2026-41166 OpenRemote has Improper Access Control via updateUserRealmRoles function

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the...

7CVSS0.00285EPSS
Exploits1References2
CVE
CVE
added 2026/04/22 8:31 p.m.22 views

CVE-2026-41166

Summary of CVE-2026-41166 : OpenRemote prior to v1.22.1 allows a user with the OpenRemote Keycloak realm role write:admin in one realm to call the Manager API and update realm roles for users in a different realm, including the master realm. The underlying issue is that the handler uses the {real...

7CVSS5.7AI score0.00285EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/04/22 8:31 p.m.3 views

CVE-2026-41166 OpenRemote has Improper Access Control via updateUserRealmRoles function

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the...

7CVSS5.9AI score0.00285EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/22 2:38 p.m.9 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the updateUserRealmRoles function. An attacker can escalate privileges by invoking the API with a valid token from one realm to modify user roles in another realm, potentially granting administrative access to...

8.3CVSS5.8AI score0.00285EPSS
Exploits1References2
Rows per page
Query Builder