VYPR
Moderate severityNVD Advisory· Published Feb 27, 2026· Updated Mar 6, 2026

Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators

CVE-2026-0871

Description

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-server-spi-privateMaven
< 26.5.226.5.2

Affected products

5

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.