Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-0871

Опубликовано: 13 янв. 2025
Источник: redhat
CVSS3: 4.9
EPSS Низкий

Описание

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

Отчет

This vulnerability is rated Moderate for Red Hat. An administrator with manage-users permission can modify unmanaged user attributes in Keycloak, even when the "Only administrators can view" setting is enabled. This bypass requires the realm to be configured with unmanaged attributes set to "Only administrators can view" and the administrator to possess manage-users permission.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Enterprise Application Platform 8keycloak-servicesFix deferred
Red Hat JBoss Enterprise Application Platform Expansion Packkeycloak-servicesFix deferred
Red Hat Single Sign-On 7keycloak-servicesFix deferred
Red Hat build of Keycloak 26.4rhbk/keycloak-operator-bundleFixedRHSA-2026:236609.02.2026
Red Hat build of Keycloak 26.4rhbk/keycloak-rhel9FixedRHSA-2026:236609.02.2026
Red Hat build of Keycloak 26.4rhbk/keycloak-rhel9-operatorFixedRHSA-2026:236609.02.2026
Red Hat build of Keycloak 26.4.9rhbk/keycloak-rhel9FixedRHSA-2026:236509.02.2026

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-266
https://bugzilla.redhat.com/show_bug.cgi?id=2428881org.keycloak/keycloak-services: Keycloak: Unauthorized modification of unmanaged user attributes by administrators

EPSS

Процентиль: 9%
0.00032
Низкий

4.9 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-0871

CVSS3: 4.9
nvd
около 1 месяца назад

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

debian логотип

CVE-2026-0871

CVSS3: 4.9
debian
около 1 месяца назад

A flaw was found in Keycloak. An administrator with `manage-users` per ...

github логотип

GHSA-v4jw-m6rm-399h

CVSS3: 4.9
github
около 1 месяца назад

Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes

EPSS

Процентиль: 9%
0.00032
Низкий

4.9 Medium

CVSS3