CVE-2026-0871

Опубликовано: 27 фев. 2026

Источник: nvd

CVSS3: 4.9

EPSS Низкий

Описание

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

Ссылки

https://access.redhat.com/errata/RHSA-2026:2365
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:2366
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-0871
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2428881
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*

Версия до 26.4.9 (исключая)

cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*

cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

Версия до 26.4.0 (исключая)

EPSS

Процентиль: 9%

0.00032

Низкий

4.9 Medium

CVSS3

Дефекты

CWE-266

NVD-CWE-noinfo

Связанные уязвимости

CVE-2026-0871

CVSS3: 4.9

redhat

около 1 года назад

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

CVE-2026-0871

CVSS3: 4.9

debian

около 1 месяца назад

A flaw was found in Keycloak. An administrator with `manage-users` per ...

GHSA-v4jw-m6rm-399h

CVSS3: 4.9

github

около 1 месяца назад

Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes

EPSS

Процентиль: 9%

0.00032

Низкий

4.9 Medium

CVSS3

Дефекты

CWE-266

NVD-CWE-noinfo