UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the client-kubernetes-secret Keycloak client authenticator (shipped by uds-identity-config and consumed by UDS Core) causes the submitted client_secret to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a client_id using this authenticator can authenticate as that client with any client_secret value and obtain OAuth2 tokens scoped to the client's service account. In the case of the uds-operator client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46389.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-287",
"CWE-303"
]
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:defenseunicorns:uds_identity_config:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0.11.0"
},
{
"fixed": "0.26.1"
}
]
}