Bug 2459993 (CVE-2026-11577)

Summary: CVE-2026-11577 keycloak: keycloak: privilege escalation via partialImport FGAP permission bypass
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerability-draftAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anujha, aschwart, asoldano, aszczucz, bbaranow, bmaxwell, boliveir, bstansbe, dlofthou, drichtar, istudens, ivassile, iweiss, mosmerov, mposolda, msvehla, nwallace, pberan, pesilva, pjindal, pmackay, rmartinc, rstancel, security-response-team, smaestri, ssilvert, sthorger, thjenkin, vdosoudi, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-07-18   

Description OSIDB Bzimport 2026-04-21 07:35:34 UTC
Privilege escalation in Keycloak via POST /admin/realms/{realm}/partialImport. The endpoint bypasses Fine-Grained Admin Permissions (FGAP) -- it only checks requireManageRealm() but not per-resource-type permissions. A limited admin with only manage-realm can escalate to full realm admin by importing users with realm-admin role mappings. Verified on Keycloak 26.6.1.

Related: GitHub issue #9387 describes this as hardening, but it is an exploitable privilege escalation.

Comment 3 Abhishek Raj 2026-07-03 09:08:11 UTC
This CVE is rejected because : The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.