CVE-2026-0871
MEDIUMKeycloak < 26.5.2 - Incorrect Privilege Assignment via Unmanaged Attribute Bypass
Title source: llmDescription
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2026:2365
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2026:2366
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-0871
Vendor Advisory issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2428881
Scores
CVSS v3
4.9
EPSS
0.0031
EPSS Percentile
22.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-266
Status
published
Products (4)
org.keycloak/keycloak-server-spi-private
0 - 26.5.2Maven
redhat/build_of_keycloak
redhat/build_of_keycloak
< 26.4.9
redhat/keycloak
< 26.4.0
Published
Feb 27, 2026
Tracked Since
Feb 27, 2026