Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-46389

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

View on NVD

Analysis

UDS Identity Config presenta un fallo de seguridad que permite a un atacante autenticarse como cualquier cliente de Keycloak usando cualquier valor como secreto si conoce el client_id. Esto otorga acceso a tokens OAuth2 de cuentas de servicio, permitiendo en algunos casos escalar privilegios para modificar otros clientes del ecosistema UDS. Es fundamental actualizar a la versión 0.26.1 para corregir este error de lógica en el proceso de autenticación.

Relevant roles

BackendCyberSecurityKubernetesDockerCloudJava

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-287CWE-303

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

Published: 6/5/2026, 7:16:32 PM
Last modified: 6/5/2026, 7:21:22 PM

References

HomeEventsBlogResourcesTeam