Bug 2428881 (CVE-2026-0871)

Summary: CVE-2026-0871 org.keycloak/keycloak-services: Keycloak: Unauthorized modification of unmanaged user attributes by administrators
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aschwart, asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, darran.lofthouse, dosoudil, fjuma, istudens, ivassile, iweiss, mosmerov, mposolda, msvehla, nwallace, pberan, pesilva, pjindal, pmackay, rmartinc, rstancel, smaestri, ssilvert, sthorger, tom.jenkinson, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-13 08:35:51 UTC 
Summary

When the Unmanaged Attributes is set to Only administrators can view, the administrator that has `manage-users` permission can anyway edit the unmanaged attributes. For example using curl or kcsdm.sh:

./kcadm.sh update users/b0df9d35-3319-4e87-81ea-9a906372fa1f -r sample -s "attributes.lala=lala"

Requirements to exploit

The realm should be configured unmanaged attributes to `Only administrators can view` and the admin should have permissions to edit users.

Component affected:

org.keycloak:keycloak-services
Version affected: <26.4.0

Patch available: no

CVSS: (Based on

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

) Initially i would say medium:

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Base Score: 4.9 (Medium)

Embargo: no, if you consider it's moderate too.

Acknowledgement

Steps to reproduce

Create a new realm and configure in realm settings -> Genaral tab -> unmanaged attributes to `Only administrators can view`.

Use kcadm (for example to edit the user with an admin that has manage-users permission using the presented command.

The user is updated and toy can see the new attribute in the console.

The operation should an error or attributes skipped.