CVE-2026-46389
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the client-kubernetes-secret Keycloak client authenticator (shipped by uds-identity-config and consumed by UDS Core) causes the submitted client_secret to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a client_id using this authenticator can authenticate as that client with any client_secret value and obtain OAuth2 tokens scoped to the client's service account. In the case of the uds-operator client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| defenseunicorns | uds-identity-config | >= 0.11.0, < 0.26.1 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
- CWE-303: CWE-303: Incorrect Implementation of Authentication Algorithm
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/defenseunicorns/uds-identity-config/security/advisories/GHSA-8mg2-6588-r4hw
- https://github.com/defenseunicorns/uds-identity-config/releases/tag/v0.26.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.