Description
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.
Published: 2026-04-22
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

OpenRemote’s Manager API function updateUserRealmRoles does not verify the caller’s administrative privileges for the targeted realm. A user with write:admin access in any Keycloak realm can invoke this endpoint to modify role assignments for users in other realms, including the master realm. The flaw enables an attacker to grant themselves or others administrative rights in the master realm, effectively providing full control over the platform’s identity infrastructure. This is an Access Control issue (CWE‑284). Based on the description, it is inferred that an attacker possessing write:admin in any realm can exploit the Manager API by specifying an alternate realm in the request path.

Affected Systems

The OpenRemote platform (openremote:openremote) versions prior to 1.22.1, including the 1.22.0 release, are affected. This includes all installations that have not yet been upgraded to 1.22.1 or later.

Risk and Exploitability

The CVSS score of 7 indicates a medium severity vulnerability. The exploit probability is unspecified (EPSS not available), and the issue is not listed in the CISA KEV catalog. An attacker can achieve privilege escalation by using documented API calls, but the attack requires authenticated access to the Manager API with the write:admin role in any realm. Because the flaw permits escalation to master realm administrator, the impact is high if the attacker succeeds, but no public exploitation has been reported to date.

Generated by OpenCVE AI on April 27, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenRemote to version 1.22.1 or later, which removes the access control check on the updateUserRealmRoles endpoint.
  • Restrict the write:admin role in Keycloak so that only trusted administrators possess it, ensuring that no regular or non-administrative users have this privilege in unrelated realms.
  • Monitor Manager API traffic for updateUserRealmRoles calls across realms and set alerts for anomalies such as cross‑realm role modifications.

Generated by OpenCVE AI on April 27, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-49vv-25qx-mg44 OpenRemote has Improper Access Control via updateUserRealmRoles function
History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:*

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Openremote
Openremote openremote
Vendors & Products Openremote
Openremote openremote

Wed, 22 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.
Title OpenRemote has Improper Access Control via updateUserRealmRoles function
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Openremote Openremote
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-28T03:55:21.242Z

Reserved: 2026-04-17T16:34:45.525Z

Link: CVE-2026-41166

cve-icon Vulnrichment

Updated: 2026-04-23T12:55:10.059Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T21:17:09.167

Modified: 2026-04-24T13:10:21.543

Link: CVE-2026-41166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:42:00Z

Weaknesses