CVE-2026-11577 - Vulnerability Details

Description

A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.

Published: 2026-06-08

Score: 7.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An improper access control flaw was discovered in the POST /admin/realms/{realm}/partialImport endpoint. A user with a limited administrator role can exploit this by importing users that are granted realm‑admin role mappings, thereby bypassing the Fine‑Grained Admin Permissions (FGAP) and attaining full realm‑administrator privileges. This is a classic missing access‑control weakness (CWE‑863) that directly compromises a realm’s security.

Affected Systems

Red Hat Build of Keycloak, Red Hat Data Grid 8, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7 are the affected products. Specific version information is not provided in the advisory, so any installation using these products with the vulnerable endpoint exposed remains at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, which indicates medium severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog, so the probability of exploitation is currently unclear. The likely attack vector is a properly authenticated POST request to the partialImport endpoint, meaning the threat is limited to environments where the admin interface is reachable and the user has limited admin rights. Until a vendor fix is issued, the risk is moderate but could increase if the flaw becomes publicly exploited or if configuration changes expose the endpoint to broader networks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—
Red Hat	Red Hat Data Grid 8	affected	—
Red Hat	Red Hat JBoss Enterprise Application Platform 8	affected	—
Red Hat	Red Hat JBoss Enterprise Application Platform Expansion Pack	affected	—
Red Hat	Red Hat Single Sign-On 7	unknown	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Apply any vendor patch or update that resolves the partialImport access‑control flaw as soon as it becomes available.
Restrict network access to the Keycloak administrative console and the /admin/realms/*/partialImport endpoint to trusted hosts or internal networks, limiting exposure to attackers.
Review and tighten limited administrator permissions: disable or lock user import capabilities for roles that do not require them, and ensure that only explicitly authorized users can assign realm‑admin role mappings.

Generated by OpenCVE AI on June 8, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-11577
https://bugzilla.redhat.com/show_bug.cgi?id=2459993
https://github.com/keycloak/keycloak/issues/9387

History

Mon, 08 Jun 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
Title		Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass
First Time appeared		Redhat Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp Redhat red Hat Single Sign On
Weaknesses		CWE-863
CPEs		cpe:/a:redhat:build_keycloak: cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products		Redhat Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp Redhat red Hat Single Sign On
References		https://access.redhat.com/security/cve/CVE-2026-11577 https://bugzilla.redhat.com/show_bug.cgi?id=2459993 https://github.com/keycloak/keycloak/issues/9387
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Redhat Build Keycloak Jboss Data Grid Jboss Enterprise Application Platform Jbosseapxp Red Hat Single Sign On

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-08T11:44:41.892Z

Updated: 2026-06-08T11:44:41.892Z

Reserved: 2026-06-08T11:34:22.437Z

Link: CVE-2026-11577

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-08T13:16:32.943

Modified: 2026-06-08T14:57:49.490

Link: CVE-2026-11577

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T14:45:04Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object