GHSA-49vv-25qx-mg44

Suggest an improvement
Source
https://github.com/advisories/GHSA-49vv-25qx-mg44
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-49vv-25qx-mg44/GHSA-49vv-25qx-mg44.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-49vv-25qx-mg44
Aliases
  • CVE-2026-41166
Published
2026-04-22T14:38:23Z
Modified
2026-04-22T14:47:02.340651Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
Summary
OpenRemote has Improper Access Control via updateUserRealmRoles function
Details

Summary

A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the {realm} path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to master realm administrator if the attacker controls any user in master realm.

Details

In manager/src/main/java/org/openremote/manager/security/UserResourceImpl.java, there is no check to validate if the caller should be able to administer a realm they're trying to update.

```340:353:manager/src/main/java/org/openremote/manager/security/UserResourceImpl.java @Override public void updateUserRealmRoles(RequestParams requestParams, String realm, String userId, String[] roles) { try { identityService.getIdentityProvider().updateUserRealmRoles( realm, userId, roles); } catch (ClientErrorException ex) { ex.printStackTrace(System.out); throw new WebApplicationException(ex.getCause(), ex.getResponse().getStatus()); } catch (Exception ex) { throw new WebApplicationException(ex); } }


### PoC
1. Create a **new** Keycloak realm other than `master`. Add a user and grant that user the OpenRemote client role `write:admin`. Remember the realm name (call it `NEW_REALM`).
2. In Keycloak realm `master`, pick a **low-privilege** user (no `admin` realm role). Copy that user’s UUID (`<master-user-uuid>`).
3. Authenticate as the user from step 1 and obtain a Bearer access token (`<token>`) for `NEW_REALM`.
4. Replace placeholders and run:
```bash
curl -k -X PUT "https://<host>/api/<NEW_REALM>/user/master/userRealmRoles/<master-user-uuid>" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '["admin"]'

5. In the Keycloak Admin Console, realm master, that user, Role mapping. Confirm the admin realm role is assigned.

Impact

An attacker with the OpenRemote client role write:admin in any realm can call this API with {realm} set to another realm (for example master) and change Keycloak realm roles for users there. That can grant admin on master to a user UUID they target, which gives Keycloak administrator access for the master realm.

Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-284"
    ],
    "github_reviewed_at": "2026-04-22T14:38:23Z"
}
References

Affected packages

Maven / io.openremote:openremote-manager

Package

Name
io.openremote:openremote-manager
View open source insights on deps.dev
Purl
pkg:maven/io.openremote/openremote-manager

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.22.1

Affected versions

1.*
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0
1.5.0
1.6.0
1.6.2
1.6.3
1.6.4
1.6.5
1.7.0
1.8.0
1.8.1
1.9.0
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0
1.12.1
1.12.3
1.13.0
1.13.1
1.14.0
1.15.0
1.15.1
1.15.2
1.16.1
1.17.0
1.17.1
1.17.2
1.17.3
1.18.0
1.19.0
1.20.0
1.20.1
1.20.2
1.21.0
1.22.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-49vv-25qx-mg44/GHSA-49vv-25qx-mg44.json"