CVE-2026-41166

Name of the Vulnerable Software and Affected Versions OpenRemote versions prior to 1.22.1

Description A user possessing the write:admin role in one Keycloak realm can utilize the Manager API to update Keycloak realm roles for users in a different realm, including the master realm. The issue exists because the handler uses the {realm} path segment when communicating with the identity provider but fails to verify if the caller has administrative privileges for that specific realm. This flaw is located in the updateUserRealmRoles() function within manager/src/main/java/org/openremote/manager/security/UserResourceImpl.java. An attacker could achieve privilege escalation to a master realm administrator if they control any user within that realm.

Recommendations Update to version 1.22.1.