Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-46389

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

Ver en NVD

Análisis

UDS Identity Config presenta un fallo de seguridad que permite a un atacante autenticarse como cualquier cliente de Keycloak usando cualquier valor como secreto si conoce el client_id. Esto otorga acceso a tokens OAuth2 de cuentas de servicio, permitiendo en algunos casos escalar privilegios para modificar otros clientes del ecosistema UDS. Es fundamental actualizar a la versión 0.26.1 para corregir este error de lógica en el proceso de autenticación.

Roles relevantes

BackendCyberSecurityKubernetesDockerCloudJava

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-287CWE-303

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

Publicada: 5/6/2026, 19:16:32
Última modificación: 5/6/2026, 19:21:22

Referencias

InicioEventosBlogRecursosEquipo