CRITICAL🇵🇱 Wersja polska

CVE-2026-46389

CVSS 10.0v3.1pub. 2026-06-05upd. 2026-06-15

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

🤖 AI Analysis
How it works

In versions 0.11.0–0.26.0, the `client-kubernetes-secret` authenticator overwrites the submitted `client_secret` value with the secret mounted from Kubernetes before performing the comparison. As a result, any value provided by the attacker in the `client_secret` field is replaced with the actual value, causing the verification to always succeed. The attacker only needs to know the `client_id` of the client using this authenticator and have network access to the Keycloak token endpoint.

Impact

An attacker can obtain OAuth2 tokens assigned to a selected Keycloak client service account, and in the case of the `uds-operator` client, create and modify other clients, leading to complete identity and privilege takeover in the UDS Core environment.

Mitigation & patch

UDS Identity Config should be updated to version 0.26.1, which contains a fix for the logic error. Details available in the vendor references: https://github.com/defenseunicorns/uds-identity-config/releases/tag/v0.26.1

Who is affected

UDS Identity Config in versions 0.11.0 through 0.26.0 (inclusive) and UDS Core environments using these versions of Keycloak configuration.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Defenseunicorns Uds Identity Config

    APP
    Defenseunicorns
    0.11.0 – 0.26.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
ContainerAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-23634NONE0ten sam vendor

Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and d...