CVE-2026-0871 MEDIUM

CVE-2026-0871: Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.9
Weakness CWE-266
Published February 27, 2026
Last update March 6, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 6, 2026 Record updated

Related vulnerabilities

04Related CVE