CVE-2026-0871

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-0871
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0871.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-0871
Aliases
Downstream
Published
2026-02-27T08:17:09.410Z
Modified
2026-03-13T04:08:34.982340Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type
GIT
Repo
https://github.com/keycloak/keycloak
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
29bce99a277153beabf55a33deb1989d12c63df0
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4e25e47b3c3619b3a0593448e1dfc0dd786cfbe1
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "26.4.9"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "26.4.0"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0871.json"