← voltar
CVE-2026-0871

Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators

CVSS 4.9 MEDIUMEPSS 0.3%CWE-266
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.9EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
27 fev 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Produtos afetados
Red Hat · Red Hat build of Keycloak 26.4Red Hat · Red Hat build of Keycloak 26.4.9Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat · Red Hat Single Sign-On 7

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://access.redhat.com/errata/RHSA-2026:2365https://access.redhat.com/errata/RHSA-2026:2366https://access.redhat.com/security/cve/CVE-2026-0871https://bugzilla.redhat.com/show_bug.cgi?id=2428881