Vulnerability DatabaseCVE-2026-41166
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-41166
Published:April 22, 2026
Updated:May 18, 2026
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has "write:admin" in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including "master". The handler uses the "{realm}" path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to "master" realm administrator if the attacker controls any user in "master" realm. Version 1.22.1 fixes the issue.
Affected Packages
io.openremote:openremote-manager (JAVA):
Affected version(s) >=1.2.0 <1.22.1
Fix Suggestion:
Update to version 1.22.1
io.openremote:openremote-manager (JAVA):
Affected version(s) >=1.2.0 <1.22.1
Fix Suggestion:
Update to version 1.22.1
Related Resources (4)
https://nvd.nist.gov/vuln/detail/CVE-2026-41166
https://github.com/openremote/openremote
https://github.com/openremote/openremote/security/advisories/GHSA-49vv-25qx-mg44
https://github.com/openremote/openremote/releases/tag/1.22.1
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
Improper Access Control
CWE-284
EPSS
Base Score:
0.05