How is CVE-2026-11577 exploited?

Network reachability (required): The partialImport endpoint is exposed over the network, so the attacker must be able to reach the Keycloak admin API via HTTP/S. Authentication (required): The attacker must hold a valid limited-administrator account; any low-privilege admin credential is sufficient to trigger the bypass. Victim interaction (not-required): No victim action is needed; the attacker sends the crafted import request directly without involving another user. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions or special environmental factors are required to reach the vulnerable code path.

What is the impact of CVE-2026-11577?

A successful attacker promotes their account to full realm administrator, gaining unrestricted control over the Keycloak realm configuration. The attacker can read all realm data, including stored user credentials, session tokens, and identity provider secrets. The attacker can modify any realm object: adding or removing users, altering role assignments, and changing authentication flows. With full realm-admin rights the attacker can disable or misconfigure authentication policies, effectively locking out legitimate administrators or disrupting SSO-dependent services.

Back to search

HIGHCVE-2026-11577Published 2026-06-08Modified 2026-06-08CNA redhat

CVE-2026-11577: Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass

A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 5

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in Keycloak's partialImport endpoint (POST /admin/realms/{realm}/partialImport). An authenticated limited administrator can bypass Fine-Grained Admin Permissions (FGAP) by importing users with realm-admin role mappings, effectively granting themselves full realm administrator rights. The flaw is reachable over the network and requires no victim interaction. No fix versions have been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-11577 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Keycloak or Red Hat Single Sign-On.

Available

Triage

HarborGuard scores this CVE at CVSS 7.2 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured escalation rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-11577, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Red Hat publishes a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation on the partialImport endpoint or flag-based feature gating.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The partialImport endpoint is exposed over the network, so the attacker must be able to reach the Keycloak admin API via HTTP/S.
AuthenticationRequired
The attacker must hold a valid limited-administrator account; any low-privilege admin credential is sufficient to trigger the bypass.
Victim interactionNot required
No victim action is needed; the attacker sends the crafted import request directly without involving another user.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions or special environmental factors are required to reach the vulnerable code path.

Blast Radius

A successful attacker promotes their account to full realm administrator, gaining unrestricted control over the Keycloak realm configuration.
The attacker can read all realm data, including stored user credentials, session tokens, and identity provider secrets.
The attacker can modify any realm object: adding or removing users, altering role assignments, and changing authentication flows.
With full realm-admin rights the attacker can disable or misconfigure authentication policies, effectively locking out legitimate administrators or disrupting SSO-dependent services.

How HarborGuard Handles This

Available on HarborGuard: images containing affected Keycloak or Red Hat Single Sign-On components are flagged at CVSS 7.2 (HIGH) and routed to the appropriate team as soon as the CVE is ingested. Because no upstream fix exists yet, HarborGuard monitors the Red Hat advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a remediated version is published. For customers who opt into auto-remediation, that rebuild is followed by a regression-test run and a PR opened against affected workloads. While the fix is pending, HarborGuard's policy engine can be used to apply compensating controls: network-policy isolation restricting access to the /admin/realms/{realm}/partialImport endpoint to trusted source CIDRs, egress filtering to reduce lateral movement risk, and policy alerts that fire if images with this CVE are promoted to production. Where compliance policy permits, these controls can be enforced automatically across affected environments.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Build of Keycloak
Red Hat / Red Hat Data Grid 8
Red Hat / Red Hat JBoss Enterprise Application Platform 8
Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat / Red Hat Single Sign-On 7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified