{
  "threat_severity" : "Moderate",
  "public_date" : "2025-01-13T08:08:00Z",
  "bugzilla" : {
    "description" : "org.keycloak/keycloak-services: Keycloak: Unauthorized modification of unmanaged user attributes by administrators",
    "id" : "2428881",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2428881"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-266",
  "details" : [ "A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the \"Only administrators can view\" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.", "A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the \"Only administrators can view\" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications." ],
  "statement" : "This vulnerability is rated Moderate for Red Hat. An administrator with `manage-users` permission can modify unmanaged user attributes in Keycloak, even when the \"Only administrators can view\" setting is enabled. This bypass requires the realm to be configured with unmanaged attributes set to \"Only administrators can view\" and the administrator to possess `manage-users` permission.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2366",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-operator-bundle:26.4.9-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2366",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9:26.4-11"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2366",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9-operator:26.4-10"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4.9",
    "release_date" : "2026-02-09T00:00:00Z",
    "advisory" : "RHSA-2026:2365",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Fix deferred",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Fix deferred",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Fix deferred",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-0871\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0871" ],
  "name" : "CVE-2026-0871",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}