Bug 2459993 (CVE-2026-11577) - CVE-2026-11577 keycloak: keycloak: privilege escalation via partialImport FGAP permission bypass
Summary: CVE-2026-11577 keycloak: keycloak: privilege escalation via partialImport FGA...
Keywords:
Status: NEW
Alias: CVE-2026-11577
Deadline: 2026-07-18
Product: Security Response
Classification: Other
Component: vulnerability-draft
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-21 07:35 UTC by OSIDB Bzimport
Modified: 2026-07-03 09:08 UTC (History)
30 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-21 07:35:34 UTC
Privilege escalation in Keycloak via POST /admin/realms/{realm}/partialImport. The endpoint bypasses Fine-Grained Admin Permissions (FGAP) -- it only checks requireManageRealm() but not per-resource-type permissions. A limited admin with only manage-realm can escalate to full realm admin by importing users with realm-admin role mappings. Verified on Keycloak 26.6.1.

Related: GitHub issue #9387 describes this as hardening, but it is an exploitable privilege escalation.

Comment 3 Abhishek Raj 2026-07-03 09:08:11 UTC
This CVE is rejected because : The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.


Note You need to log in before you can comment on or make changes to this bug.