Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes

GHSA-v4jw-m6rm-399h · CVE-2026-0871

Published Feb 27, 2026 · Modified Feb 28, 2026

Description

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-0871
WEB https://github.com/keycloak/keycloak/issues/45873
WEB https://github.com/keycloak/keycloak/commit/9d0f679ecea405958f167fcd0f4a6db6ae32c3fa
WEB https://access.redhat.com/errata/RHSA-2026:2365
WEB https://access.redhat.com/errata/RHSA-2026:2366
WEB https://access.redhat.com/security/cve/CVE-2026-0871
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2428881
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes