Description

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.

INFO

Published Date :

2026-04-22T20:31:29.234Z

Last Modified :

2026-04-28T03:55:21.242Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41166 vulnerability.

Vendors Products
Openremote
  • Openremote
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41166.

URL Resource
https://github.com/openremote/openremote/releases/tag/1.22.1 cve-icon cve-icon
https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact