Home

Description

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

PUBLISHED Reserved 2026-01-13 | Published 2026-02-27 | Updated 2026-02-27 | Assigner redhat




MEDIUM: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Problem types

Incorrect Privilege Assignment

Product status

Default status
affected

26.4.9-1 (rpm) before *
unaffected

Default status
affected

26.4-11 (rpm) before *
unaffected

Default status
affected

26.4-10 (rpm) before *
unaffected

Default status
unaffected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-01-13:Reported to Red Hat.
2025-01-13:Made public.

References

access.redhat.com/errata/RHSA-2026:2365 (RHSA-2026:2365) vendor-advisory

access.redhat.com/errata/RHSA-2026:2366 (RHSA-2026:2366) vendor-advisory

access.redhat.com/security/cve/CVE-2026-0871 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2428881 (RHBZ#2428881) issue-tracking

cve.org (CVE-2026-0871)

nvd.nist.gov (CVE-2026-0871)

Download JSON