Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jrds-3wks-aybe
Vulnerability ID VCID-jrds-3wks-aybe
Aliases CVE-2026-0871
GHSA-v4jw-m6rm-399h
Summary Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-266 Incorrect Privilege Assignment
CWE-284 Improper Access Control
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 4.9 https://access.redhat.com/errata/RHSA-2026:2365
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2026:2365
ssvc Track https://access.redhat.com/errata/RHSA-2026:2365
cvssv3.1 4.9 https://access.redhat.com/errata/RHSA-2026:2366
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2026:2366
ssvc Track https://access.redhat.com/errata/RHSA-2026:2366
cvssv3 4.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0871.json
cvssv3.1 4.9 https://access.redhat.com/security/cve/CVE-2026-0871
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2026-0871
ssvc Track https://access.redhat.com/security/cve/CVE-2026-0871
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2026-0871
cvssv3.1 4.9 https://bugzilla.redhat.com/show_bug.cgi?id=2428881
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=2428881
ssvc Track https://bugzilla.redhat.com/show_bug.cgi?id=2428881
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-v4jw-m6rm-399h
cvssv3.1 4.9 https://github.com/keycloak/keycloak
generic_textual MODERATE https://github.com/keycloak/keycloak
cvssv3.1 4.9 https://github.com/keycloak/keycloak/commit/9d0f679ecea405958f167fcd0f4a6db6ae32c3fa
generic_textual MODERATE https://github.com/keycloak/keycloak/commit/9d0f679ecea405958f167fcd0f4a6db6ae32c3fa
cvssv3.1 4.9 https://github.com/keycloak/keycloak/issues/45873
generic_textual MODERATE https://github.com/keycloak/keycloak/issues/45873
cvssv3.1 4.9 https://nvd.nist.gov/vuln/detail/CVE-2026-0871
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-0871
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2026:2365
https://access.redhat.com/errata/RHSA-2026:2366
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0871.json
https://access.redhat.com/security/cve/CVE-2026-0871
https://api.first.org/data/v1/epss?cve=CVE-2026-0871
https://bugzilla.redhat.com/show_bug.cgi?id=2428881
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/commit/9d0f679ecea405958f167fcd0f4a6db6ae32c3fa
https://github.com/keycloak/keycloak/issues/45873
https://nvd.nist.gov/vuln/detail/CVE-2026-0871
cpe:/a:redhat:build_keycloak:26.4::el9 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9
cpe:/a:redhat:jbosseapxp https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:jboss_enterprise_application_platform:8 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:red_hat_single_sign_on:7 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7
GHSA-v4jw-m6rm-399h https://github.com/advisories/GHSA-v4jw-m6rm-399h
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/errata/RHSA-2026:2365
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T16:51:23Z/ Found at https://access.redhat.com/errata/RHSA-2026:2365
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/errata/RHSA-2026:2366
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T16:51:23Z/ Found at https://access.redhat.com/errata/RHSA-2026:2366
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0871.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/security/cve/CVE-2026-0871
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T16:51:23Z/ Found at https://access.redhat.com/security/cve/CVE-2026-0871
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2428881
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T16:51:23Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2428881
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/keycloak/keycloak/commit/9d0f679ecea405958f167fcd0f4a6db6ae32c3fa
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/keycloak/keycloak/issues/45873
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-0871
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01437
EPSS Score 0.00011
Published At April 21, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:43.157483+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v4jw-m6rm-399h/GHSA-v4jw-m6rm-399h.json 38.0.0