Fedora Account System
Red Hat Associate
Red Hat Customer
Privilege escalation in Keycloak via POST /admin/realms/{realm}/partialImport. The endpoint bypasses Fine-Grained Admin Permissions (FGAP) -- it only checks requireManageRealm() but not per-resource-type permissions. A limited admin with only manage-realm can escalate to full realm admin by importing users with realm-admin role mappings. Verified on Keycloak 26.6.1. Related: GitHub issue #9387 describes this as hardening, but it is an exploitable privilege escalation.
This CVE is rejected because : The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.