Description
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
Published: 2026-02-27
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Attribute Modification
Action: Immediate Patch
AI Analysis

Impact

A flaw in Keycloak allows an administrator who possesses manage‑users permission to bypass the "Only administrators can view" restriction on unmanaged attributes, enabling them to modify these attributes. This improper access control results in a direct integrity compromise of user profiles, potentially corrupting data that should be protected and enabling further misconfiguration or malicious activity. The weakness aligns with CWE‑266 (Missing Authorization for Modification).

Affected Systems

Affected by Red Hat JBoss Enterprise Application Platform 8 and its Expansion Pack, Red Hat Single Sign‑On 7, and Red Hat builds of Keycloak 26.4including 26.4.9). The vulnerability is active in the Red Hat build of Keycloak 26.4 and newer versions associated with these products.

Risk and Exploitability

The CVSS score of 4.9 indicates a medium severity, while the EPSS score of less than 1% suggests exploitation is not common. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local or remote access to the administrator interface with manage‑users permission, making it an insider or compromised‑admin threat. Because only privileged users can trigger it, the risk is moderate, but the impact on integrity warrants timely attention.

Generated by OpenCVE AI on April 16, 2026 at 15:31 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat errata RHSA-2026:2365 and RHSA-2026:2366 to update Keycloak to a patched version.
  • Restrict the manage‑users permission to trusted administrators only, or disable it for roles that do not require it.
  • Re‑implement or reinforce the "Only administrators can view" setting in Keycloak’s attribute visibility configuration to prevent unauthorized modification of unmanaged attributes.

Generated by OpenCVE AI on April 16, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4jw-m6rm-399h Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes
History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat keycloak
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Vendors & Products Redhat keycloak

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack

Fri, 27 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
Title Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-266
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jbosseapxp Keycloak Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-06T18:50:44.774Z

Reserved: 2026-01-13T08:41:28.810Z

Link: CVE-2026-0871

cve-icon Vulnrichment

Updated: 2026-03-06T18:50:39.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T08:17:09.410

Modified: 2026-03-05T02:03:32.580

Link: CVE-2026-0871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses