{"api_version":"1","generated_at":"2026-07-03T18:06:41+00:00","cve":"CVE-2026-11577","urls":{"html":"https://cve.report/CVE-2026-11577","api":"https://cve.report/api/cve/CVE-2026-11577.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-11577","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-11577"},"summary":{"title":"CVE-2026-11577","description":"Rejected reason: The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.","state":"REJECTED","assigner":"redhat","published_at":"2026-06-08 13:16:32","updated_at":"2026-07-03 10:16:22"},"problem_types":[],"metrics":[],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-11577","name":"https://access.redhat.com/security/cve/CVE-2026-11577","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2459993","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2459993","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/keycloak/keycloak/issues/9387","name":"https://github.com/keycloak/keycloak/issues/9387","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11577.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11577.json","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-11577","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11577","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"11577","cve":"CVE-2026-11577","epss":"0.003290000","percentile":"0.248130000","score_date":"2026-07-02","updated_at":"2026-07-03 00:06:14"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"providerMetadata":{"dateUpdated":"2026-07-03T09:01:43.784Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"rejectedReasons":[{"lang":"en","value":"The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability."}]}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-11577","datePublished":"2026-06-08T11:44:41.892Z","dateRejected":"2026-07-03T09:01:43.784Z","dateReserved":"2026-06-08T11:34:22.437Z","dateUpdated":"2026-07-03T09:01:43.784Z","state":"REJECTED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-08 13:16:32","lastModifiedDate":"2026-07-03 10:16:22","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"11577","Ordinal":"1","Title":"CVE-2026-11577","CVE":"CVE-2026-11577","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"11577","Ordinal":"1","NoteData":"Rejected reason: The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.","Type":"Description","Title":"CVE-2026-11577"}]}}}