This CVE has been withdrawn by MITRE
MITRE marked CVE-2026-11577 as REJECTED on . There is no longer a valid blast radius to assess. Any historical package or vendor data shown below is preserved for audit reference only.
The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not gra…
CVE-2026-11577 Blast Radius
✕ WITHDRAWN — HISTORICAL DATAA flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialIm…