{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/multi-tenant/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openremote-manager (\u003c 1.24.2)"],"_cs_severities":["high"],"_cs_tags":["OpenRemote","Vulnerability","API","Information Disclosure","Access Control","Multi-tenant"],"_cs_type":"advisory","_cs_vendors":["OpenRemote"],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-54641, has been identified in OpenRemote's \u003ccode\u003eopenremote-manager\u003c/code\u003e package, affecting versions prior to \u003ccode\u003e1.24.2\u003c/code\u003e. This flaw specifically resides in the \u003ccode\u003eUserResourceImpl.java\u003c/code\u003e file, where three read endpoints (\u003ccode\u003eget\u003c/code\u003e, \u003ccode\u003egetUserClientRoles\u003c/code\u003e, \u003ccode\u003egetUserRealmRoles\u003c/code\u003e) lack an authenticated-realm guard. This oversight allows a realm administrator from any non-master tenant to retrieve sensitive user profile data, client roles, and realm roles belonging to users in other realms, including the highly privileged master realm, simply by supplying the target user's UUID in the REST API path. This cross-tenant information disclosure facilitates user enumeration and privilege reconnaissance, providing attackers with valuable intelligence (usernames, email addresses, role assignments) that can be leveraged for further targeted attacks such as credential stuffing, social engineering, or privilege escalation within multi-tenant OpenRemote deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrator-level access to a non-master OpenRemote tenant, possessing the \u003ccode\u003eread:admin\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify a target user's UUID within another realm, typically the privileged master realm, potentially through accessible audit logs, API responses, or provisioning records.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to their controlled non-master tenant (e.g., \u003ccode\u003etenantb\u003c/code\u003e) and obtains a valid OpenID Connect access token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and sends an authenticated HTTP GET request to the vulnerable \u003ccode\u003e/api/{caller_realm}/user/{target_realm}/{user_id}\u003c/code\u003e endpoint, specifying the master realm as the target (\u003ccode\u003etarget_realm\u003c/code\u003e) and the master admin's UUID.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to send an authenticated HTTP GET request to the \u003ccode\u003e/api/{caller_realm}/user/{target_realm}/userRealmRoles/{user_id}\u003c/code\u003e endpoint to retrieve the target master realm user's assigned realm roles.\u003c/li\u003e\n\u003cli\u003eSubsequently, the attacker sends an authenticated HTTP GET request to the \u003ccode\u003e/api/{caller_realm}/user/{target_realm}/userRoles/{user_id}/{client_id}\u003c/code\u003e endpoint to gather the target master realm user's client roles.\u003c/li\u003e\n\u003cli\u003eDue to the absence of proper authorization checks in \u003ccode\u003eUserResourceImpl.java\u003c/code\u003e, the OpenRemote server inadvertently returns sensitive user profile, realm role, and client role information from the target master realm to the attacker, despite their non-master realm token.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the disclosed user identities, privilege levels, and role assignments to plan and execute subsequent attacks, such as credential stuffing against identified administrator accounts, social engineering campaigns, or exploiting other vulnerabilities for privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows any realm administrator with \u003ccode\u003eread:admin\u003c/code\u003e permissions in a non-master tenant to enumerate user accounts, obtain email addresses, determine enabled/disabled status, and retrieve the full set of Keycloak roles for any user across all realms, including the most privileged master realm. This breaks tenant isolation in hosted or shared OpenRemote deployments, compromising the confidentiality of user data. The exposure of sensitive master administrator account identities and their extensive role assignments significantly aids in targeted attacks, making credential stuffing, social engineering, and potential privilege escalation much more feasible. Successful exploitation can lead to a complete compromise of the OpenRemote instance if master administrator credentials are subsequently brute-forced or phished.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch OpenRemote instances to version \u003ccode\u003e1.24.2\u003c/code\u003e or higher to remediate CVE-2026-54641.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule in this brief to your SIEM to detect suspicious cross-realm information disclosure attempts.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for HTTP GET requests matching the patterns identified in the Sigma rule, specifically for access to \u003ccode\u003e/api/{non_master_realm}/user/master/*\u003c/code\u003e endpoints by non-master realm administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:51:11Z","date_published":"2026-07-06T20:51:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openremote-cross-realm-info-disclosure/","summary":"A high-severity vulnerability (CVE-2026-54641) in OpenRemote's `UserResourceImpl.java` allows a realm administrator in a multi-tenant deployment to perform cross-realm user enumeration and privilege-level reconnaissance by reading sensitive user information (profile, client roles, and realm roles) from any other realm, including the master realm, due to missing authorization checks in specific REST API endpoints.","title":"OpenRemote Cross-Realm User Information Disclosure (CVE-2026-54641)","url":"https://feed.craftedsignal.io/briefs/2026-07-openremote-cross-realm-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed - Multi-Tenant","version":"https://jsonfeed.org/version/1.1"}