Summary

When the Unmanaged Attributes is set to Only administrators can view, the administrator that has `manage-users` permission can anyway edit the unmanaged attributes. For example using curl or kcsdm.sh:

./kcadm.sh update users/b0df9d35-3319-4e87-81ea-9a906372fa1f -r sample -s "attributes.lala=lala"

Requirements to exploit

The realm should be configured unmanaged attributes to `Only administrators can view` and the admin should have permissions to edit users.

Component affected:

org.keycloak:keycloak-services
Version affected: <26.4.0

Patch available: no

CVSS: (Based on

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

) Initially i would say medium:

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Base Score: 4.9 (Medium)

Embargo: no, if you consider it's moderate too.

Acknowledgement

Steps to reproduce

Create a new realm and configure in realm settings -> Genaral tab -> unmanaged attributes to `Only administrators can view`.

Use kcadm (for example to edit the user with an admin that has manage-users permission using the presented command.

The user is updated and toy can see the new attribute in the console.

The operation should an error or attributes skipped.