CVE-2026-11577 HIGH

CVE-2026-11577: Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-863 · Incorrect authorization
Published June 8, 2026
Last update June 30, 2026
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.

Key dates

02Disclosure timeline

June 8, 2026 CVE published
June 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-2527 Improper access control to group information CVE-2024-27288 1Panel open source panel project has an unauthorized vulnerability. CVE-2026-20238 Improper Access Control through Role Inheritance in Splunk AI Toolkit app CVE-2021-24281 Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion CVE-2026-44330 free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions