Keycloak PartialImport FGAP Escalation via Admin Import
CVE-2026-11577 Published on June 8, 2026

Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass
A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.

NVD

Vulnerability Analysis

CVE-2026-11577 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-11577. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 51 days later.

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-11577 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-11577

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Build Keycloak
 
Red Hat Jboss Data Grid
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 
Red Hat Single Sign On
 

Affected Versions

Red Hat Build of Keycloak: Red Hat Data Grid 8: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat Single Sign-On 7: