Description
The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.
Published: 2026-06-08
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper access control flaw was discovered in the POST /admin/realms/{realm}/partialImport endpoint. A user with a limited administrator role can exploit this by importing users that are granted realm‑admin role mappings, thereby bypassing the Fine‑Grained Admin Permissions (FGAP) and attaining full realm‑administrator privileges. This is a classic missing access‑control weakness (CWE‑863) that directly compromises a realm’s security.

Affected Systems

Red Hat Build of Keycloak, Red Hat Data Grid 8, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7 are the affected products. Specific version information is not provided in the advisory, so any installation using these products with the vulnerable endpoint exposed remains at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, which indicates medium severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog, so the probability of exploitation is currently unclear. The likely attack vector is a properly authenticated POST request to the partialImport endpoint, meaning the threat is limited to environments where the admin interface is reachable and the user has limited admin rights. Until a vendor fix is issued, the risk is moderate but could increase if the flaw becomes publicly exploited or if configuration changes expose the endpoint to broader networks.

Generated by OpenCVE AI on June 8, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or update that resolves the partialImport access‑control flaw as soon as it becomes available.
  • Restrict network access to the Keycloak administrative console and the /admin/realms/*/partialImport endpoint to trusted hosts or internal networks, limiting exposure to attackers.
  • Review and tighten limited administrator permissions: disable or lock user import capabilities for roles that do not require them, and ensure that only explicitly authorized users can assign realm‑admin role mappings.

Generated by OpenCVE AI on June 8, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Title Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass keycloak: keycloak: privilege escalation via partialImport FGAP permission bypass
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 03 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings. The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat build Keycloak
Redhat jboss Data Grid
Redhat jbosseapxp

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat data Grid
Redhat jboss Enterprise Application Platform Expansion Pack
Vendors & Products Redhat build Of Keycloak
Redhat data Grid
Redhat jboss Enterprise Application Platform Expansion Pack

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 08 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
Title Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-863
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Redhat Build Of Keycloak Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On
cve-icon MITRE

Status: REJECTED

Assigner: redhat

Published:

Updated: 2026-07-03T09:01:43.784Z

Reserved: 2026-06-08T11:34:22.437Z

Link: CVE-2026-11577

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T13:16:32.943

Modified: 2026-06-09T20:16:32.000

Link: CVE-2026-11577

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-11577 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:16Z

Weaknesses