Keycloak Improper Access Control Vulnerability in Partial Import Endpoint Allows Privilege Escalation

A privilege escalation vulnerability has been identified in Keycloak, specifically in the POST /admin/realms/{realm}/partialImport endpoint. This vulnerability arises from improper access control, allowing a limited administrator to bypass Fine-Grained Admin Permissions (FGAP). By exploiting this flaw, the administrator can escalate privileges to become a full realm administrator by importing users with realm-admin role mappings.

Impact

Exploitation of this vulnerability allows a limited administrator to gain full realm administrator privileges, enabling them to access and modify all aspects of the realm, including sensitive data and application configurations.

Reproduction

To reproduce this vulnerability, create a user with only the 'manage-realm' role assigned for a specific realm. Then, partially import a JSON file that includes client information or realm-admin role mappings. The import will be successful, despite the user not having the necessary permissions to manage clients or users.