CVE-2026-41166

Published: Apr 22, 2026

Modified: Apr 28, 2026

PUBLISHED

CVSS v3.1

7.0

HIGH

Description

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.

Vendor	Product	Versions
openremote	openremote	affected `< 1.22.1`

Weaknesses (CWE)

CWE-284

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

References

https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44

x_refsource_CONFIRM

https://github.com/openremote/openremote/releases/tag/1.22.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41166

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References