CVE-2026-41166: OpenRemote has Improper Access Control via updateUserRealmRoles function

April 22, 2026 (updated April 27, 2026)

A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the {realm} path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to master realm administrator if the attacker controls any user in master realm.

References

github.com/advisories/GHSA-49vv-25qx-mg44
github.com/openremote/openremote
github.com/openremote/openremote/releases/tag/1.22.1
github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44
nvd.nist.gov/vuln/detail/CVE-2026-41166

Code Behaviors & Features

Detect and mitigate CVE-2026-41166 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →