CVE-2026-11577 | Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass

Rejected reason: The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.

Published: 2026-06-08 Last update: 2026-07-03 Assigner: [email protected] Source: [email protected]

Conclusion & alert: This CVE is rejected; it is not tracked as an active vulnerability. Mandatory action: Do not treat as an active exposure for patching queues—follow the CVE record status and authoritative vendor or program statements only.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-11577

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.03% 0.32% +0.29%
2 2026-06-09 0.03%

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-11577

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2026-11577

GitHub Security Advisory for CVE-2026-11577

GHSA-p5q4-94mg-325p · Severity: high — A flaw was found in Keycloak. A limited administrator can exploit an improper access control...

OS Trackers for CVE-2026-11577

vendor priority summary link
redhat high https://access.redhat.com/security/cve/CVE-2026-11577

Affected software / configurations for CVE-2026-11577

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2026-11577

URL Tags
No references in dataset.
cvelogic Threat Intelligence