High severity7.2NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-11577

Description

A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.

Affected products

Red Hat/Build Of Keycloakreferences
Keycloak/Keycloakllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

access.redhat.com/security/cve/CVE-2026-11577nvd
bugzilla.redhat.com/show_bug.cginvd
github.com/keycloak/keycloak/issues/9387nvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000