CVE-2026-11577 PUBLISHED

Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass

Assigner: redhat
Reserved: 08.06.2026 Published: 08.06.2026 Updated: 08.06.2026

A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.2

Product Status

Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Data Grid 8
Versions Default: affected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 8
Versions Default: affected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: affected
Vendor Red Hat
Product Red Hat Single Sign-On 7
Versions Default: unknown

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Credits

  • Red Hat would like to thank Andrii Ilin (10Guards) for reporting this issue.

References

Problem Types

  • Incorrect Authorization CWE