OpenRemote Cross-Realm User Information Disclosure (CVE-2026-54641)
A high-severity vulnerability (CVE-2026-54641) in OpenRemote's `UserResourceImpl.java` allows a realm administrator in a multi-tenant deployment to perform cross-realm user enumeration and privilege-level reconnaissance by reading sensitive user information (profile, client roles, and realm roles) from any other realm, including the master realm, due to missing authorization checks in specific REST API endpoints.
A high-severity vulnerability, CVE-2026-54641, has been identified in OpenRemote's openremote-manager package, affecting versions prior to 1.24.2. This flaw specifically resides in the UserResourceImpl.java file, where three read endpoints (get, getUserClientRoles, getUserRealmRoles) lack an authenticated-realm guard. This oversight allows a realm administrator from any non-master tenant to retrieve sensitive user profile data, client roles, and realm roles belonging to users in other realms, including the highly privileged master realm, simply by supplying the target user's UUID in the REST API path. This cross-tenant information disclosure facilitates user enumeration and privilege reconnaissance, providing attackers with valuable intelligence (usernames, email addresses, role assignments) that can be leveraged for further targeted attacks such as credential stuffing, social engineering, or privilege escalation within multi-tenant OpenRemote deployments.
Attack Chain
- An attacker gains administrator-level access to a non-master OpenRemote tenant, possessing the
read:adminrole. - The attacker performs reconnaissance to identify a target user's UUID within another realm, typically the privileged master realm, potentially through accessible audit logs, API responses, or provisioning records.
- The attacker authenticates to their controlled non-master tenant (e.g.,
tenantb) and obtains a valid OpenID Connect access token. - The attacker crafts and sends an authenticated HTTP GET request to the vulnerable
/api/{caller_realm}/user/{target_realm}/{user_id}endpoint, specifying the master realm as the target (target_realm) and the master admin's UUID. - The attacker proceeds to send an authenticated HTTP GET request to the
/api/{caller_realm}/user/{target_realm}/userRealmRoles/{user_id}endpoint to retrieve the target master realm user's assigned realm roles. - Subsequently, the attacker sends an authenticated HTTP GET request to the
/api/{caller_realm}/user/{target_realm}/userRoles/{user_id}/{client_id}endpoint to gather the target master realm user's client roles. - Due to the absence of proper authorization checks in
UserResourceImpl.java, the OpenRemote server inadvertently returns sensitive user profile, realm role, and client role information from the target master realm to the attacker, despite their non-master realm token. - The attacker utilizes the disclosed user identities, privilege levels, and role assignments to plan and execute subsequent attacks, such as credential stuffing against identified administrator accounts, social engineering campaigns, or exploiting other vulnerabilities for privilege escalation.
Impact
This vulnerability allows any realm administrator with read:admin permissions in a non-master tenant to enumerate user accounts, obtain email addresses, determine enabled/disabled status, and retrieve the full set of Keycloak roles for any user across all realms, including the most privileged master realm. This breaks tenant isolation in hosted or shared OpenRemote deployments, compromising the confidentiality of user data. The exposure of sensitive master administrator account identities and their extensive role assignments significantly aids in targeted attacks, making credential stuffing, social engineering, and potential privilege escalation much more feasible. Successful exploitation can lead to a complete compromise of the OpenRemote instance if master administrator credentials are subsequently brute-forced or phished.
Recommendation
- Immediately patch OpenRemote instances to version
1.24.2or higher to remediate CVE-2026-54641. - Deploy the Sigma rule in this brief to your SIEM to detect suspicious cross-realm information disclosure attempts.
- Monitor webserver logs for HTTP GET requests matching the patterns identified in the Sigma rule, specifically for access to
/api/{non_master_realm}/user/master/*endpoints by non-master realm administrators.
Detection coverage 1
Detect CVE-2026-54641 Exploitation - OpenRemote Cross-Realm User Info Disclosure
highDetects CVE-2026-54641 exploitation - HTTP GET requests targeting master realm user information endpoints from a non-master realm context, indicating cross-realm information disclosure attempts in OpenRemote.
Detection queries are available on the platform. Get full rules →