CVE-2026-46389
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
In versions 0.11.0 through 0.26.0, there is a logic error in the `client-kubernetes-secret` Keycloak client authenticator that allows an attacker to overwrite the `client_secret` with the mounted Kubernetes secret. This enables authentication as that client with any `client_secret` value and obtaining OAuth2 tokens.
Risk Assessment
An attacker who can access the Keycloak token endpoint and knows a `client_id` can gain access to the client's resources, potentially leading to unauthorized modifications of other clients' configurations.
Recommendation
It is recommended to upgrade to version 0.26.1, which patches this issue. Additionally, monitor access to the Keycloak token endpoint and verify the usage of `client_secret`.
Original NVD description (English source)
UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

