{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41166", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.525Z", "datePublished": "2026-04-22T20:31:29.234Z", "dateUpdated": "2026-04-28T03:55:21.242Z"}, "containers": {"cna": {"title": "OpenRemote has Improper Access Control via updateUserRealmRoles function", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"}, {"name": "https://github.com/openremote/openremote/releases/tag/1.22.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openremote/openremote/releases/tag/1.22.1"}], "affected": [{"vendor": "openremote", "product": "openremote", "versions": [{"version": "< 1.22.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:31:29.234Z"}, "descriptions": [{"lang": "en", "value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue."}], "source": {"advisory": "GHSA-49vv-25qx-mg44", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-41166"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T03:55:21.242Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41166", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T13:38:44.712056Z"}}}], "references": [{"url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:55:10.059Z"}}], "cna": {"title": "OpenRemote has Improper Access Control via updateUserRealmRoles function", "source": {"advisory": "GHSA-49vv-25qx-mg44", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openremote", "product": "openremote", "versions": [{"status": "affected", "version": "< 1.22.1"}]}], "references": [{"url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44", "name": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openremote/openremote/releases/tag/1.22.1", "name": "https://github.com/openremote/openremote/releases/tag/1.22.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:31:29.234Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41166", "state": "PUBLISHED", "dateUpdated": "2026-04-28T03:55:21.242Z", "dateReserved": "2026-04-17T16:34:45.525Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T20:31:29.234Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openremote:openremote:*:*:*:*:*:*:*:*", "matchCriteriaId": "69912FC9-C280-4732-9D5B-9B323D1868A8", "versionEndExcluding": "1.22.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue."}], "id": "CVE-2026-41166", "lastModified": "2026-04-24T13:10:21.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T21:17:09.167", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openremote/openremote/releases/tag/1.22.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.22.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openremote", "source": "cna", "vendor": "openremote"}, "product": "openremote", "vendor": "openremote"}], "analysis": {"en": {"generated_at": "2026-04-27T08:25:58.550040+00:00", "value": {"mitigation_remediation": ["Upgrade OpenRemote to version 1.22.1 or later, which removes the access control check on the updateUserRealmRoles endpoint.", "Restrict the write:admin role in Keycloak so that only trusted administrators possess it, ensuring that no regular or non-administrative users have this privilege in unrelated realms.", "Monitor Manager API traffic for updateUserRealmRoles calls across realms and set alerts for anomalies such as cross\u2011realm role modifications."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The OpenRemote platform (openremote:openremote) versions prior to 1.22.1, including the 1.22.0 release, are affected. This includes all installations that have not yet been upgraded to 1.22.1 or later.", "description_and_impact": "OpenRemote\u2019s Manager API function updateUserRealmRoles does not verify the caller\u2019s administrative privileges for the targeted realm. A user with write:admin access in any Keycloak realm can invoke this endpoint to modify role assignments for users in other realms, including the master realm. The flaw enables an attacker to grant themselves or others administrative rights in the master realm, effectively providing full control over the platform\u2019s identity infrastructure. This is an Access Control issue (CWE\u2011284). Based on the description, it is inferred that an attacker possessing write:admin in any realm can exploit the Manager API by specifying an alternate realm in the request path.", "risk_and_exploitability": "The CVSS score of 7 indicates a medium severity vulnerability. The exploit probability is unspecified (EPSS not available), and the issue is not listed in the CISA KEV catalog. An attacker can achieve privilege escalation by using documented API calls, but the attack requires authenticated access to the Manager API with the write:admin role in any realm. Because the flaw permits escalation to master realm administrator, the impact is high if the attacker succeeds, but no public exploitation has been reported to date."}}}}, "created": "2026-04-22T21:30:27.594810+00:00", "updated": "2026-04-27T18:42:00.082016+00:00", "vendors": ["openremote", "openremote$PRODUCT$openremote"]}