CVE-2026-11577 Overview
CVE-2026-11577 is an improper access control vulnerability in Keycloak, the open-source identity and access management solution maintained by Red Hat. The flaw exists in the POST /admin/realms/{realm}/partialImport endpoint. A limited administrator can bypass Fine-Grained Admin Permissions (FGAP) and escalate privileges to a full realm administrator. The attacker achieves this by importing users that carry realm-admin role mappings through the partial import functionality. The vulnerability is tracked under CWE-863: Incorrect Authorization.
Critical Impact
A constrained Keycloak administrator can promote itself to full realm administrator, gaining control over every user, client, and identity policy within the affected realm.
Affected Products
- Red Hat Keycloak (see vendor advisory for fixed versions)
- Red Hat Build of Keycloak
- Red Hat Single Sign-On (downstream distribution)
Discovery Timeline
- 2026-06-08 - CVE-2026-11577 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-11577
Vulnerability Analysis
Keycloak exposes the partialImport administrative endpoint to allow operators to import realm objects such as users, clients, groups, and roles from a JSON payload. The endpoint is intended to enforce Fine-Grained Admin Permissions, which restrict what a delegated administrator can create or modify. The flaw is that role mappings included in the import payload are not validated against the caller's FGAP scope. A delegated administrator with permission to create users can therefore submit a payload that assigns the built-in realm-admin composite role to a newly imported account.
Once the import completes, the attacker authenticates as the imported user and inherits unrestricted realm administrator privileges. From that position, an attacker can modify identity federation, create or alter clients, exfiltrate credentials, and pivot into any downstream application protected by the realm.
Root Cause
The root cause is missing authorization on role assignment paths inside the partialImport handler. The endpoint validates that the caller is an administrator but does not verify that the caller is permitted to grant each role included in the import body. This breaks the FGAP trust boundary and converts a user-management permission into role-assignment authority.
Attack Vector
Exploitation requires network access to the Keycloak admin REST API and valid credentials for a delegated administrator account. No user interaction is required. The attacker sends a crafted JSON payload to POST /admin/realms/{realm}/partialImport containing a user object with a realmRoles entry referencing realm-admin. After the request succeeds, the attacker logs in as the imported user and operates with full realm-administrator authority.
No verified public proof-of-concept code is available at the time of writing. See the Red Hat CVE-2026-11577 Advisory, the Red Hat Bug Report #2459993, and the GitHub Keycloak Issue #9387 for technical details.
Detection Methods for CVE-2026-11577
Indicators of Compromise
- Admin event log entries of type PARTIAL_IMPORT originating from accounts that are not full realm administrators.
- Newly created users whose realmRoles include realm-admin, admin, or composite roles that grant administrative scope.
- Authentication events for newly imported users immediately followed by configuration changes to clients, identity providers, or authentication flows.
Detection Strategies
- Enable Keycloak admin events and user events, then alert on any PARTIAL_IMPORT operation that introduces privileged role mappings.
- Compare the role memberships of accounts created in the last 24 hours against an allowlist of expected administrative principals.
- Correlate API calls to /admin/realms/{realm}/partialImport with the calling administrator's assigned FGAP scope to flag scope-exceeding imports.
Monitoring Recommendations
- Forward Keycloak admin and event logs to a centralized SIEM or data lake and retain them for at least 90 days.
- Build a detection that triggers when any account is granted realm-admin outside of an approved change ticket.
- Monitor for anomalous logins from service or delegated-admin accounts that have not historically used the admin console.
How to Mitigate CVE-2026-11577
Immediate Actions Required
- Upgrade Keycloak to a version that includes the fix referenced in the Red Hat CVE-2026-11577 Advisory.
- Audit every delegated administrator account and remove unused or over-scoped FGAP grants.
- Review all user accounts created via partialImport since the affected version was deployed and revoke any unexpected administrative roles.
Patch Information
Red Hat has published fixed builds for Keycloak and downstream distributions. Refer to the Red Hat CVE-2026-11577 Advisory for the specific fixed versions matching your deployment channel and to the Red Hat Bug Report #2459993 for issue tracking.
Workarounds
- Restrict access to the /admin/realms/{realm}/partialImport endpoint at the reverse proxy or API gateway layer until patching is complete.
- Remove user-management or import permissions from delegated administrators that do not require them.
- Require multi-factor authentication for all administrative accounts to raise the bar for credential abuse against the admin REST API.
# Example reverse-proxy block (nginx) restricting partialImport to a trusted CIDR
location ~* ^/admin/realms/[^/]+/partialImport$ {
allow 10.0.0.0/24;
deny all;
proxy_pass http://keycloak_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
