UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`
CVE-2026-46389

10CRITICAL

Key Information:

Vendor: Defenseunicorns
Status: Uds-identity-config
Vendor: CVE Published:; 5 June 2026

🔔 Create Defenseunicorns Vulnerability Alert

What is CVE-2026-46389?

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the client-kubernetes-secret Keycloak client authenticator (shipped by uds-identity-config and consumed by UDS Core) causes the submitted client_secret to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a client_id using this authenticator can authenticate as that client with any client_secret value and obtain OAuth2 tokens scoped to the client's service account. In the case of the uds-operator client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

Affected Version(s)

uds-identity-config >= 0.11.0, < 0.26.1

References

https://github.com/defenseunicorns/uds-identity-config/se...

x_refsource_CONFIRM

https://github.com/defenseunicorns/uds-identity-config/re...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46389 Data

JSON