Issuer: Adverse Trace Date issued: 2026-06-08 Version: 1.0
1. Executive summary
A high-severity improper access control vulnerability exists in Keycloak affecting the POST /admin/realms/{realm}/partialImport endpoint. Authenticated administrators with limited permissions can exploit this flaw to bypass Fine-Grained Admin Permissions (FGAP) and escalate privileges to a full realm administrator by importing users with realm-admin role mappings. A related flaw in FGAPv2 also allows limited administrators to assign arbitrary realm roles via client scope mappings. For EMEA financial services, this represents a critical insider threat or compromised credential scenario where least-privilege boundaries are ineffective, directly jeopardizing IAM integrity and regulatory compliance regarding access control.
2. Regulatory framing
| Regulation | Article | Practical Impact on Financial Entities |
|---|---|---|
| DORA | Art. 17 | Requires immediate classification and management of this ICT risk; failure to patch allows unauthorized privilege escalation, violating protection policies. |
| DORA | Art. 19 | Mandates reporting of major ICT-related incidents if exploitation leads to significant operational disruption or data compromise. |
| DORA | Art. 28-30 | necessitates review of third-party ICT service providers (if Keycloak is managed externally) and ensures contractual alignment on patching timelines. |
| NIS2 | Art. 21(2)(d) | Requires implementation of technical measures for "access control" and "cryptographic measures"; this flaw renders current logical access controls porous. |
| NIS2 | Art. 23 | Mandates early warning and incident reporting to CSIRTs if exploitation is detected within the supply chain or internal infrastructure. |
3. Attack chain
- An attacker authenticates to the Keycloak administration console with limited administrator credentials (e.g., client management permissions only).
- The attacker sends a crafted HTTP POST request to the
/admin/realms/{realm}/partialImportendpoint. - The payload contains a user definition mapped to the
realm-adminrole. - Due to improper access control validation, Keycloak processes the import despite the attacker lacking explicit permission to assign realm-level roles.
- The attacker's scope is escalated, granting full realm administration capabilities.
Unconfirmed steps: While the primary vector is the partialImport endpoint, the related FGAPv2 flaw suggests attackers may alternatively manipulate client scope mappings to inject roles into authentication tokens. Specific exploitation tooling or wild exploitation has not been confirmed in the provided sources.
4. Mitigation & containment
Priority 1 (Within 24h): Containment & Configuration * Restrict Endpoint Access: Implement WAF or API Gateway rules to block external or non-essential internal access to POST /admin/realms/*/partialImport. * Rule Logic: Deny POST requests matching regex /admin/realms/[^/]+/partialImport unless originating from trusted management subnets. * Audit Admin Roles: Immediately review all accounts with "limited administrator" or "client management" roles. Verify no unauthorized users possess these permissions. * Disable FGAPv2 (If applicable): If the environment utilizes Fine-Grained Admin Permissions v2 and the specific patch is not yet applied, consider temporarily reverting to standard permission models or disabling the feature if business continuity allows, pending vendor guidance.
Priority 2 (Within 72h): Remediation * Patch Keycloak: Upgrade to the latest stable version of Keycloak released on or after 2026-06-08 which addresses CVE-2026-11577 and the FGAPv2 flaw. * Action: Update container images or binary installations to the vendor-specified fixed version. * Role Recalibration: Post-patch, re-evaluate all administrative roles. Ensure the principle of least privilege is enforced, as the patch fixes the bypass but does not remove previously escalated permissions.
Priority 3 (Within 7 days): Verification * Log Analysis: Search authentication and administration logs for successful POST requests to /admin/realms/{realm}/partialImport by non-super-admin users in the last 30 days. * Token Audit: Inspect issued JWTs/OIDC tokens for unexpected realm-admin claims originating from clients managed by limited admins.
5. Indicators of compromise
No specific file hashes, IP addresses, or domains are available in the source material. The primary indicator is the HTTP request pattern.
| Type | Value | Confidence | Source |
|---|---|---|---|
| HTTP Method/Path | POST /admin/realms/{realm}/partialImport |
High | GitHub Advisory / CVE-2026-11577 |
| Role Claim | realm-admin (in import payload) |
High | GitHub Advisory |
http_request POST /admin/realms/*/partialImport
role_claim realm-admin
6. Detection
The following rules detect the exploitation attempt based on the specific endpoint and role mapping described in the advisory.
rule Keycloak_Privilege_Escalation_Attempt {
meta:
author = "Adverse Trace"
date = "2026-06-08"
reference = "https://github.com/advisories/GHSA-p5q4-94mg-325p"
description = "Detects HTTP POST requests to the vulnerable partialImport endpoint attempting to inject realm-admin roles."
strings:
$http_method = "POST"
$endpoint = "/admin/realms/"
$import_action = "partialImport"
$target_role = "realm-admin"
condition:
$http_method and $endpoint and $import_action and $target_role
}
title: Keycloak PartialImport Privilege Escalation
id: 8a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6
status: experimental
description: Detects POST requests to the Keycloak partialImport endpoint which may indicate an attempt to exploit CVE-2026-11577.
author: Adverse Trace
date: 2026/06/08
references:
- https://github.com/advisories/GHSA-p5q4-94mg-325p
logsource:
category: webserver
service: generic
detection:
selection:
c-uri|contains: '/admin/realms/'
c-uri|contains: 'partialImport'
method: 'POST'
filter_role_injection:
c-uri|contains: 'realm-admin'
c-body|contains: 'realm-admin'
condition: selection and filter_role_injection
falsepositives:
- Legitimate super-admin usage of the import function (requires context on user role).
level: high
7. Sources
- GitHub Security Advisories, "A flaw was found in Keycloak...", https://github.com/advisories/GHSA-p5q4-94mg-325p, 2026-06-08.
- GitHub Security Advisories, "A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2)...", https://github.com/advisories/GHSA-8hcx-p7m8-gc28, Accessed 2026-06-08.
- BSI Germany (CERT-Bund), "[UPDATE] [mittel] Keycloak: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen", https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1330, 2026-06-08.
- BSI Germany (CERT-Bund), "[UPDATE] [mittel] Keycloak: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen", https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1573, 2026-06-08.
- National Vulnerability Database (via GitHub), "CVE-2026-11577", https://github.com/advisories/GHSA-p5q4-94mg-325p, 2026-06-08.
8. Adverse Trace position
Adverse Trace assesses this vulnerability as High Severity for all EMEA financial clients utilizing Keycloak for Identity and Access Management (IAM). The risk is exacerbated by the "limited administrator" vector, implying that standard role-segregation controls are currently ineffective against this specific flaw. While no wild exploitation is confirmed in the sources, the simplicity of the HTTP-based exploit makes it highly likely to be weaponized rapidly. Clients must treat this as a priority patching event and assume that any limited admin account active in the last 30 days may have been used to escalate privileges undetected. We will monitor threat intelligence feeds for proof-of-concept code and active exploitation campaigns.
Published via PulseTrace — Adverse Trace threat intelligence.