CVE-2026-46389
Analyzed Analyzed - Analysis Complete
Authentication Bypass in UDS Identity Config

Publication date: 2026-06-05

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-15
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-46389
EUVD
EUVD-2026-34879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
defenseunicorns uds_identity_config From 0.11.0 (inc) to 0.26.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-303 The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the uds-identity-config component, specifically in the ClientIdAndKubernetesSecretAuthenticator used by UDS Core's Identity deployment. Due to a logic error, the submitted client_secret is overwritten with a mounted Kubernetes secret before comparison, allowing an attacker who can reach the Keycloak token endpoint and knows a client_id to authenticate as that client using any client_secret value.

This flaw enables unauthorized access to OAuth2 tokens scoped to the client's service account, including privileged clients like uds-operator, which can then be used to create, modify, or delete OIDC clients.

The vulnerability affects versions 0.11.0 through 0.26.0 of uds-identity-config and was patched in version 0.26.1.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to bypass client authentication and obtain OAuth2 tokens with the privileges of the targeted client.

  • Unauthorized access to sensitive OAuth2 tokens.
  • Potential for privilege escalation by using tokens from privileged clients like uds-operator.
  • Ability for attackers to create, modify, or delete OIDC clients, leading to further credential theft or unauthorized access.
  • High impact on confidentiality, integrity, and availability of the affected systems.
Detection Guidance

This vulnerability can be detected by reviewing Keycloak event logs for suspicious activity, such as unexpected client operations or unauthorized token requests involving the affected clients.

Specifically, monitoring the Keycloak token endpoint for unusual authentication attempts where any client_secret value is accepted for a known client_id using the vulnerable authenticator can indicate exploitation.

While no specific commands are provided in the resources, administrators should query Keycloak logs for events related to the uds-operator client or other clients using the client-kubernetes-secret authenticator.

Mitigation Strategies

Immediate mitigation steps include upgrading uds-identity-config to version 0.26.1 or later, which contains the patch for this vulnerability.

For UDS Core deployments, upgrade to patched versions of UDS Core (v1.0.1, v1.1.1, or v1.2.2) that include fixes for this issue.

As a temporary workaround, switch the uds-operator client authentication mechanism from the vulnerable Kubernetes secret authenticator to the Client ID and Secret authenticator.

Additionally, review and apply client policy restrictions to limit the scope of operations that can be performed with tokens obtained via this authenticator.

Finally, monitor Keycloak event logs closely for any suspicious activity to detect potential exploitation attempts.

Compliance Impact

This vulnerability allows an attacker to bypass client authentication and obtain OAuth2 tokens with high privileges, including the ability to create, modify, or delete OIDC clients. Such unauthorized access and potential privilege escalation can lead to unauthorized disclosure, modification, or disruption of sensitive data and services.

Given the critical impact on confidentiality, integrity, and availability of authentication tokens and client configurations, this vulnerability could negatively affect compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and systems.

Organizations using affected versions should remediate promptly to maintain compliance by preventing unauthorized access and ensuring proper authentication mechanisms are in place.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart