CVE-2026-41166 Overview
OpenRemote is an open-source internet-of-things (IoT) platform that provides comprehensive device management and automation capabilities. A privilege escalation vulnerability exists in versions prior to 1.22.1 that allows an attacker with write:admin permissions in one Keycloak realm to modify Keycloak realm roles for users in other realms, including the sensitive master realm. This cross-realm authorization bypass occurs because the Manager API handler uses the {realm} path segment when communicating with the identity provider but fails to validate whether the caller has administrative privileges over the targeted realm.
Critical Impact
An attacker who controls any user account in the master realm and has write:admin access in any other realm can escalate privileges to become a master realm administrator, potentially gaining full control over the entire OpenRemote deployment and all connected IoT devices.
Affected Products
- OpenRemote IoT Platform versions prior to 1.22.1
- OpenRemote deployments using Keycloak multi-realm configurations
- OpenRemote instances with cross-realm user access patterns
Discovery Timeline
- April 22, 2026 - CVE-2026-41166 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41166
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control) and represents a critical authorization bypass in the OpenRemote Manager API. The vulnerability stems from a missing authorization check in the API handler responsible for managing Keycloak realm roles. When processing requests to update user roles, the handler extracts the target realm from the {realm} path segment in the API request and forwards this to the Keycloak identity provider without verifying that the authenticated user possesses administrative privileges over that specific realm.
The attack requires network access and depends on the attacker having an existing write:admin permission in at least one Keycloak realm, as well as controlling a user account in the target realm (such as master). While these prerequisites introduce some complexity, they are achievable in multi-tenant or enterprise deployments where users may have legitimate access to multiple realms with varying privilege levels.
Root Cause
The root cause is an improper access control implementation in the realm role management endpoint. The API handler trusts the {realm} path parameter without performing server-side authorization validation to confirm the requesting user has administrative authority over the specified realm. This allows authenticated users to manipulate the target realm value and perform role assignments outside their authorized scope.
Attack Vector
The attack exploits the network-accessible Manager API by crafting requests that target the master realm or other privileged realms while authenticating with credentials from a less-privileged realm. The attacker sends a role update request specifying the target realm in the path segment, and because no cross-realm authorization check exists, the identity provider executes the role modification. If the attacker controls even a low-privileged user account in the master realm, they can assign themselves administrative roles, achieving full privilege escalation.
The vulnerability mechanism involves the following sequence: An attacker authenticates to the Manager API using credentials with write:admin in their assigned realm. They then craft an API request targeting a different realm (e.g., master) in the path segment. The handler passes this request to Keycloak without validating cross-realm authorization. Keycloak processes the role update, granting the attacker elevated privileges in the target realm.
For detailed technical information, see the GitHub Security Advisory GHSA-49vv-25qx-mg44.
Detection Methods for CVE-2026-41166
Indicators of Compromise
- Unexpected role assignments or privilege changes in Keycloak realm configurations, particularly in the master realm
- API logs showing role update requests where the authenticated user's realm differs from the target realm in the request path
- Audit trail entries indicating cross-realm administrative operations performed by users without explicit multi-realm admin privileges
- Newly created administrator accounts or elevated privileges for existing accounts in the master realm without corresponding change management records
Detection Strategies
- Implement API request logging that captures both the authenticated user's realm and the target realm in role management operations
- Configure Keycloak audit logging to track all role assignment changes, filtering for operations where source and target realms differ
- Deploy application-level monitoring to alert on any role modifications in the master realm initiated from non-master realm credentials
- Establish baseline behavioral analytics for administrative API usage patterns to detect anomalous cross-realm activity
Monitoring Recommendations
- Enable comprehensive audit logging in both OpenRemote and Keycloak to capture all identity management operations
- Configure SIEM rules to correlate authentication events with subsequent privilege escalation attempts across realm boundaries
- Implement real-time alerting for any administrative role assignments in high-value realms such as master
- Regularly review and audit user role assignments across all realms to identify unauthorized privilege elevations
How to Mitigate CVE-2026-41166
Immediate Actions Required
- Upgrade to OpenRemote version 1.22.1 or later immediately to address the authorization bypass vulnerability
- Audit all Keycloak realms for unexpected role assignments, particularly administrator roles in the master realm
- Review API access logs for evidence of cross-realm role manipulation attempts
- Temporarily restrict network access to the Manager API if immediate patching is not possible
Patch Information
OpenRemote has addressed this vulnerability in version 1.22.1. The patch implements proper authorization validation to ensure that users can only modify roles within realms for which they have explicit administrative privileges. Organizations should upgrade to this version or later by obtaining the release from the OpenRemote Release 1.22.1 page.
Workarounds
- Restrict write:admin permissions to only essential personnel and realms until the patch can be applied
- Implement network segmentation to limit Manager API access to trusted internal networks only
- Configure web application firewall (WAF) rules to inspect and potentially block API requests targeting cross-realm role management endpoints
- Disable or remove unnecessary realm configurations to reduce the attack surface for cross-realm exploitation
If immediate patching is not feasible, consider implementing network-level controls to restrict API access:
# Example: Restrict Manager API access to trusted networks using iptables
# Adjust the network ranges according to your environment
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
