Vulnerability Description
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to `master` realm administrator if the attacker controls any user in `master` realm. Version 1.22.1 fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openremote | Openremote | < 1.22.1 |
Related Weaknesses (CWE)
References
- https://github.com/openremote/openremote/releases/tag/1.22.1ProductRelease Notes
- https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44ExploitVendor Advisory
- https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44ExploitVendor Advisory
FAQ
What is CVE-2026-41166?
CVE-2026-41166 is a vulnerability with a CVSS score of 7.0 (HIGH). OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users ...
How severe is CVE-2026-41166?
CVE-2026-41166 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41166?
Check the references section above for vendor advisories and patch information. Affected products include: Openremote Openremote.