OpenRemote Privilege Escalation: Master Realm at Risk
The National Vulnerability Database has detailed CVE-2026-41166, a critical privilege escalation vulnerability in OpenRemote, an open-source IoT platform. Prior to version 1.22.1, a user with write:admin permissions in any Keycloak realm could exploit a flaw in the Manager API. This allowed them to modify Keycloak realm roles for users in other realms, including the master realm.
The core issue, as described by the National Vulnerability Database, is that the API handler uses the realm path segment when communicating with the identity provider but fails to verify if the calling user has administrative privileges for that specific realm. This oversight creates a direct path for an attacker, who controls any user in the master realm, to escalate privileges to a master realm administrator.
This is a severe design flaw (CVSS score 7, CWE-284) that directly impacts the integrity of access controls. Defenders must prioritize patching OpenRemote to version 1.22.1 immediately to mitigate this risk. An attacker gaining master realm administrator access means total compromise of the identity provider, leading to widespread system control.
What This Means For You
- If your organization uses OpenRemote, you need to check your version immediately. Patch to 1.22.1 without delay. After patching, audit Keycloak realm roles, especially for the `master` realm, to detect any unauthorized modifications that may have occurred prior to mitigation.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41166 - OpenRemote Master Realm Privilege Escalation via Manager API
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41166 | Privilege Escalation | OpenRemote platform versions prior to 1.22.1 |
| CVE-2026-41166 | Auth Bypass | OpenRemote Manager API allows updating Keycloak realm roles across realms without proper authorization check |
| CVE-2026-41166 | Privilege Escalation | Vulnerable component: OpenRemote Manager API handler processing `{realm}` path segment |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 00:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
WeKan SSRF Vulnerability: Internal Network Exposure Risk
CVE-2026-41455 — WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol...
Wekan API Flaw Grants Board Members Admin Powers
CVE-2026-41454 — WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without...
CVE-2026-41177 — Server-Side Request Forgery
CVE-2026-41177 — Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable...