High severity7.0NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026
CVE-2026-41166
CVE-2026-41166
Description
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the {realm} path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to master realm administrator if the attacker controls any user in master realm. Version 1.22.1 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.openremote:openremote-managerMaven | < 1.22.1 | 1.22.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-49vv-25qx-mg44ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41166ghsaADVISORY
- github.com/openremote/openremote/releases/tag/1.22.1nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.