Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 03 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass | keycloak: keycloak: privilege escalation via partialImport FGAP permission bypass |
| Metrics |
ssvc
|
Fri, 03 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings. | The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability. |
| CPEs | cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7 |
|
| Vendors & Products |
Redhat build Keycloak
Redhat jboss Data Grid Redhat jbosseapxp |
Tue, 09 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 09 Jun 2026 09:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat build Of Keycloak
Redhat data Grid Redhat jboss Enterprise Application Platform Expansion Pack |
|
| Vendors & Products |
Redhat build Of Keycloak
Redhat data Grid Redhat jboss Enterprise Application Platform Expansion Pack |
Tue, 09 Jun 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Mon, 08 Jun 2026 13:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings. | |
| Title | Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass | |
| First Time appeared |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| Weaknesses | CWE-863 | |
| CPEs | cpe:/a:redhat:build_keycloak: cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7 |
|
| Vendors & Products |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: REJECTED
Assigner: redhat
Published:
Updated: 2026-07-03T09:01:43.784Z
Reserved: 2026-06-08T11:34:22.437Z
Link: CVE-2026-11577
Updated:
Status : Awaiting Analysis
Published: 2026-06-08T13:16:32.943
Modified: 2026-06-09T20:16:32.000
Link: CVE-2026-11577
OpenCVE Enrichment
Updated: 2026-06-09T08:57:16Z