CVE-2026-46389

Vulnerability

A logic error in the client-kubernetes-secret Keycloak client authenticator, shipped by uds-identity-config and consumed by UDS Core, causes the submitted client_secret to be overwritten with the mounted Kubernetes secret before comparison. This affects uds-identity-config versions 0.11.0 through 0.26.0 and uds-core versions 0.39.0 through 1.0.0, 1.1.0, and 1.2.0 through 1.2.1 [1].

Exploitation

An attacker who can reach the Keycloak token endpoint and knows a client_id using this authenticator can authenticate as that client with any client_secret value. This is achieved by sending a request to the token endpoint with a valid client_id and any client_secret, which will be ignored in favor of the Kubernetes secret comparison [1].

Impact

Successful exploitation allows an attacker to obtain OAuth2 tokens scoped to the client's service account. In a default UDS Core deployment, the uds-operator client has the manage-clients role, enabling the attacker to register, modify, or delete other clients, potentially leading to secondary credential theft or redirect-URI tampering [1].

Mitigation

Version 0.26.1 of uds-identity-config patches this issue. This fix is included in uds-core versions 1.0.1, 1.1.1, and 1.2.2 [2].