Keycloak Admin Privilege Escalation via Partial Import

A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-11577 exposes a critical access control flaw in Keycloak's partial import endpoint that allows limited administrators to escalate privileges to full realm administrators. By exploiting improper validation in the POST /admin/realms/{realm}/partialImport endpoint, threat actors can bypass Fine-Grained Admin Permissions (FGAP) controls and inject users with elevated role mappings. This vulnerability affects organizations relying on Keycloak for identity and access management, particularly those implementing least-privilege administrative models where restricted admins should have limited scope. The ability to circumvent FGAP represents a significant risk to multi-tenant environments and enterprises with strict role segregation requirements.

Casky's 261 matching skills leverage Claude's extended reasoning to correlate this vulnerability with MITRE ATT&CK's Privilege Escalation (TA0004) and Credential Access (TA0006) techniques. Practitioners using Casky would detect attack patterns including: suspicious POST requests to the partialImport endpoint with user object payloads containing realm-admin role claims, unusual role mapping assignments originating from limited admin accounts, and temporal correlations between import operations and subsequent administrative actions. The platform's skill mapping identifies the CWE-863 authorization bypass signature, flagging cases where administrative scope boundaries are violated. Security teams would see findings highlighting admin accounts performing actions outside their delegated permissions, enabling rapid detection of lateral privilege escalation attempts before full realm compromise occurs.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-11577.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-11577

Casky has 261 skills that investigate the attack patterns behind CVE-2026-11577. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn