CVE-2026-41166

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-41166
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41166.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-41166
Aliases
Published
2026-04-22T20:31:29.234Z
Modified
2026-04-29T12:49:52.992297Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
Summary
OpenRemote has Improper Access Control via updateUserRealmRoles function
Details

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the {realm} path segment when talking to the identity provider but does not check that the caller may administer that realm. This could result in a privilege escalation to master realm administrator if the attacker controls any user in master realm. Version 1.22.1 fixes the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41166.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/openremote/openremote

Affected ranges

Type
GIT
Repo
https://github.com/openremote/openremote
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
38b9b55a84fc3b7e582879a56c0e2c2d0d2daf53
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.22.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

1.*
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0
1.12.1
1.12.2
1.12.3
1.13.0
1.13.1
1.14.0
1.15.0
1.15.1
1.15.2
1.16.0
1.16.1
1.17.0
1.17.1
1.17.2
1.17.3
1.18.0
1.19.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.20.0
1.20.1
1.20.2
1.21.0
1.22.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.7.0
1.8.0
1.8.1
1.9.0
Other
archive/console_loader

Database specific

vanir_signatures_modified 
"2026-04-29T12:49:52Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "251934035670255277689947968565461017183",
                "299615980489034397236031457586547942008",
                "117676322877541317703836731853899128320",
                "237098204049922686863527302705452495602",
                "249697615861708996734936966951263384344",
                "138484438192112742305351476051444609359",
                "142970744098321418686604277213682678691",
                "80288050604985277401082417543466509223",
                "249524405133918028842978621300191933713",
                "85439014895134549720080188140162319130",
                "118102796418742001185444349597881435147",
                "66312493425627644208772463835720195329",
                "321012955766064072973566257686708920328",
                "107664221178909685114516741381734212982",
                "89649365044303810402660825454923870286",
                "220547492557685440471918306199107555632",
                "173660870094792541292400959274741800029",
                "126587264119479544188213639463275750114",
                "134940876968500405225778715561055455554",
                "14618910547863859385539471161257932345",
                "266973850402441956984968684323221594909",
                "13618020404081250185482741469763518082",
                "46414950478031200227205823425635304433",
                "234831748277701653387385253615509136957",
                "143437113404168216642923525715632517497",
                "63761865142482496096758811687738019982",
                "91381220456512280019999006600680532453"
            ]
        },
        "id": "CVE-2026-41166-28a4969d",
        "signature_type": "Line",
        "target": {
            "file": "manager/src/main/java/org/openremote/manager/asset/AssetResourceImpl.java"
        },
        "source": "https://github.com/openremote/openremote/commit/38b9b55a84fc3b7e582879a56c0e2c2d0d2daf53",
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "271442230655842211531282664518353395339",
            "length": 488.0
        },
        "id": "CVE-2026-41166-701d5960",
        "signature_type": "Function",
        "target": {
            "file": "manager/src/main/java/org/openremote/manager/asset/AssetResourceImpl.java",
            "function": "updateNoneParent"
        },
        "source": "https://github.com/openremote/openremote/commit/38b9b55a84fc3b7e582879a56c0e2c2d0d2daf53",
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "99004910571964356651713061366659921792",
            "length": 511.0
        },
        "id": "CVE-2026-41166-a2d0d57e",
        "signature_type": "Function",
        "target": {
            "file": "manager/src/main/java/org/openremote/manager/asset/AssetResourceImpl.java",
            "function": "updateParent"
        },
        "source": "https://github.com/openremote/openremote/commit/38b9b55a84fc3b7e582879a56c0e2c2d0d2daf53",
        "deprecated": false
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41166.json"