A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
The vulnerability has a CVSS score of 4.9, categorizing it as medium severity. This rating is important as it indicates a potential risk to organizations that utilize Keycloak for user management. If left unaddressed, this vulnerability could allow unauthorized changes to user profiles, which can severely compromise user data integrity.
Currently, there are no known exploits in the wild for this vulnerability, but organizations should still prioritize patching immediately to mitigate any potential risks. The immediate risk is elevated due to the nature of the access control bypass.
The vulnerability was published on February 27, 2026, and has been classified as analyzed. Organizations using vulnerable versions of Keycloak should take action to remediate this issue promptly.
Risk to organizations includes unauthorized modifications to user profiles, potentially leading to data breaches or other security incidents.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)