CVE-2026-46389

Source
https://cve.org/CVERecord?id=CVE-2026-46389
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46389.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46389
Aliases
  • GHSA-8mg2-6588-r4hw
Published
2026-06-05T18:10:47.173Z
Modified
2026-07-08T08:14:00.620697590Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`
Details

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the client-kubernetes-secret Keycloak client authenticator (shipped by uds-identity-config and consumed by UDS Core) causes the submitted client_secret to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a client_id using this authenticator can authenticate as that client with any client_secret value and obtain OAuth2 tokens scoped to the client's service account. In the case of the uds-operator client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46389.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-303"
    ]
}
References

Affected packages

Git / github.com/defenseunicorns/uds-identity-config

Affected ranges

Type
GIT
Repo
https://github.com/defenseunicorns/uds-identity-config
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:defenseunicorns:uds_identity_config:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.11.0"
        },
        {
            "fixed": "0.26.1"
        }
    ]
}

Affected versions

v0.*
v0.11.0
v0.11.1
v0.12.0
v0.12.1
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.17.0
v0.18.0
v0.19.0
v0.19.1
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.25.0
v0.26.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46389.json"