Description
UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.
Published: 2026-06-05
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in the client-kubernetes-secret authenticator shipped with UDS Identity Config causes the supplied client_secret to be overwritten by the mounted Kubernetes secret before comparison, allowing anyone who knows a client_id to authenticate with any client_secret value. This results in the issuance of OAuth2 tokens scoped to the targeted client’s service account. If the client is the uds-operator, the attacker can then use the token to register or modify other clients, potentially giving broad control over the system.

Affected Systems

The vulnerability affects defenseunicorns UDS Identity Config versions 0.11.0 through 0.26.0, which provide the Keycloak client authenticator used by UDS Core’s Identity deployment. The flaw is resolved in version 0.26.1. Systems running any of the affected releases and exposing the Keycloak token endpoint are at risk.

Risk and Exploitability

With a CVSS score of 10, this flaw represents a critical high‐impact vulnerability. Although EPSS data is unavailable, the lack of a known exploitation pattern and absence from the CISA KEV catalog suggest it is not yet widely exploited, yet the straightforward attack path—access to the token endpoint combined with knowledge of a client_id—makes exploitation highly feasible for an attacker with network reach to Keycloak. The potential for escalation is significant, particularly for privileged client accounts.

Generated by OpenCVE AI on June 5, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UDS Identity Config to version 0.26.1 or newer, which patches the client_secret overwrite logic error.
  • Disable or restrict the client-kubernetes-secret authenticator for high‑privilege clients until the patch is applied, or remove the authenticator from the Keycloak realm configuration.
  • Apply network segmentation or firewall rules to restrict external access to the Keycloak token endpoint and enforce least privilege for service accounts.

Generated by OpenCVE AI on June 5, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.
Title UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`
Weaknesses CWE-287
CWE-303
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:40:55.970Z

Reserved: 2026-05-13T19:53:47.922Z

Link: CVE-2026-46389

cve-icon Vulnrichment

Updated: 2026-06-05T19:40:51.714Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T19:16:32.703

Modified: 2026-06-05T19:21:22.423

Link: CVE-2026-46389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:15:05Z

Weaknesses