logo

Database

Privilege escalation In org.keycloak:keycloak-server-spi-private

Description

Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-08712. NVD-2026-08713. OSV-2026-08714. GCVE-2026-08715. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2026-0871

References

1. https://github.com/keycloak/keycloak/issues/458732. https://github.com/keycloak/keycloak/commit/9d0f679ecea405958f167fcd0f4a6db6ae32c3fa3. https://bugzilla.redhat.com/show_bug.cgi?id=2428881

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.