CVE-2026-0871 Overview
A flaw was found in Keycloak where an administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control vulnerability can lead to unauthorized changes to user profiles, even when the system is specifically configured to restrict such modifications.
Critical Impact
Administrators with manage-users permission can bypass attribute visibility restrictions and modify user profile attributes that should be protected, potentially compromising user data integrity and security configurations.
Affected Products
- Red Hat Build of Keycloak
- Red Hat Keycloak
Discovery Timeline
- 2026-02-27 - CVE-2026-0871 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-0871
Vulnerability Analysis
This vulnerability represents an improper access control flaw (CWE-266: Incorrect Privilege Assignment) in Keycloak's user attribute management system. The core issue lies in how Keycloak enforces visibility and modification restrictions on unmanaged user attributes.
When administrators configure certain user profile attributes as "Only administrators can view," the expectation is that these attributes are protected from modification. However, administrators with the manage-users permission can circumvent these restrictions and modify attributes that should be read-only according to the system configuration. This breaks the expected security model where view-only restrictions should prevent modifications.
The vulnerability requires high privileges (administrator access with manage-users permission) and network access to exploit, which limits the attack surface to insider threats or compromised administrator accounts.
Root Cause
The root cause is an incorrect privilege assignment in Keycloak's access control logic. The system fails to properly enforce the distinction between "view" permissions and "modify" permissions for unmanaged attributes when processing requests from administrators with manage-users privileges. The access control check validates that the user has administrator rights but does not properly enforce the additional restriction that limits the attribute to view-only access.
Attack Vector
An attacker with administrator-level access and manage-users permission can exploit this vulnerability through the Keycloak administrative interface or API. The attack requires network access to the Keycloak instance and valid administrator credentials.
The exploitation flow involves:
- Authenticating to Keycloak with an administrator account that has manage-users permission
- Identifying user profiles with unmanaged attributes configured as "Only administrators can view"
- Sending modification requests for these protected attributes through the admin API or console
- The improper access control allows the modification to succeed despite the view-only configuration
This vulnerability does not require user interaction and can be exploited programmatically, allowing bulk modifications to user attributes across the system.
Detection Methods for CVE-2026-0871
Indicators of Compromise
- Unexpected modifications to user profile attributes that are configured as view-only for administrators
- Audit log entries showing attribute changes made to protected unmanaged attributes
- Changes to user attributes by administrators that should not have modification rights according to policy
Detection Strategies
- Review Keycloak audit logs for attribute modification events targeting unmanaged attributes with view-only restrictions
- Implement alerting on user profile changes made to attributes designated as protected or view-only
- Monitor administrative API calls that modify user attributes, especially those targeting unmanaged attribute fields
Monitoring Recommendations
- Enable comprehensive audit logging in Keycloak for all user attribute modifications
- Configure SIEM rules to detect modifications to user attributes that are protected by administrative view-only policies
- Periodically review user attribute configurations and compare against expected baselines
How to Mitigate CVE-2026-0871
Immediate Actions Required
- Apply the security patches provided in Red Hat Security Advisories RHSA-2026:2365 and RHSA-2026:2366
- Review and audit recent changes to user profile attributes, particularly unmanaged attributes with view-only restrictions
- Implement the principle of least privilege by limiting the number of administrators with manage-users permission
- Consider temporarily restricting access to user attribute management functionality until patches are applied
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations running affected versions of Keycloak should apply the following patches:
For detailed CVE information and technical analysis, refer to the Red Hat CVE Analysis for CVE-2026-0871 and Red Hat Bug Report #2428881.
Workarounds
- Restrict the manage-users permission to only essential administrators until patches are deployed
- Implement additional access controls at the network or application gateway level to limit administrative access
- Move sensitive attributes to managed attribute configurations where access controls may be more robust
- Enable enhanced logging and monitoring to detect any unauthorized attribute modifications during the interim period
# Review Keycloak realm configuration for unmanaged attributes
# Export realm configuration for audit
/opt/keycloak/bin/kcadm.sh get realms/your-realm -r your-realm > realm-config-backup.json
# List administrators with manage-users permission for audit
/opt/keycloak/bin/kcadm.sh get-roles -r your-realm --cname realm-management | grep manage-users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
