Metrics
Affected Vendors & Products
Fri, 03 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass | keycloak: keycloak: privilege escalation via partialImport FGAP permission bypass |
| Metrics |
ssvc
|
Fri, 03 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings. | The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability. |
| CPEs | cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7 |
|
| Vendors & Products |
Redhat build Keycloak
Redhat jboss Data Grid Redhat jbosseapxp |
Tue, 09 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 09 Jun 2026 09:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat build Of Keycloak
Redhat data Grid Redhat jboss Enterprise Application Platform Expansion Pack |
|
| Vendors & Products |
Redhat build Of Keycloak
Redhat data Grid Redhat jboss Enterprise Application Platform Expansion Pack |
Tue, 09 Jun 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Mon, 08 Jun 2026 13:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings. | |
| Title | Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass | |
| First Time appeared |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| Weaknesses | CWE-863 | |
| CPEs | cpe:/a:redhat:build_keycloak: cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7 |
|
| Vendors & Products |
Redhat
Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jbosseapxp Redhat red Hat Single Sign On |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: REJECTED
Assigner: redhat
Published: 2026-06-08T11:44:41.892Z
Updated: 2026-07-03T09:01:43.784Z
Reserved: 2026-06-08T11:34:22.437Z
Link: CVE-2026-11577
Updated:
Status : Awaiting Analysis
Published: 2026-06-08T13:16:32.943
Modified: 2026-06-09T20:16:32.000
Link: CVE-2026-11577