Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46389

CVE-2026-46389: UDS Identity Config Auth Bypass Flaw

CVE-2026-46389 is an authentication bypass vulnerability in UDS Identity Config's Keycloak client authenticator that allows attackers to obtain OAuth2 tokens. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-46389 Overview

CVE-2026-46389 is an authentication bypass vulnerability in UDS Identity Config, which builds the Keycloak configuration image consumed by UDS Core's Identity deployment. The flaw resides in the client-kubernetes-secret Keycloak client authenticator shipped by uds-identity-config. A logic error causes the submitted client_secret to be overwritten with the mounted Kubernetes secret before the comparison runs. Any attacker who can reach the Keycloak token endpoint and knows a client_id using this authenticator can authenticate with any value for client_secret. The vulnerability affects versions 0.11.0 through 0.26.0 and is fixed in 0.26.1.

Critical Impact

An unauthenticated network attacker can obtain OAuth2 tokens scoped to the targeted client's service account. Compromise of the uds-operator client allows registration and modification of other Keycloak clients.

Affected Products

  • UDS Identity Config versions 0.11.0 through 0.26.0
  • UDS Core Identity deployments consuming affected uds-identity-config images
  • Keycloak instances using the client-kubernetes-secret client authenticator

Discovery Timeline

  • 2026-06-05 - CVE-2026-46389 published to NVD
  • 2026-06-05 - Last updated in NVD database
  • Version 0.26.1 - Defense Unicorns releases patched uds-identity-config image

Technical Details for CVE-2026-46389

Vulnerability Analysis

The vulnerability is an authentication bypass [CWE-287] in a custom Keycloak client authenticator. Keycloak supports pluggable client authentication methods used during the OAuth2 token endpoint flow. The client-kubernetes-secret authenticator was designed to verify a client's submitted client_secret against a secret value mounted from a Kubernetes secret. Instead of comparing the two values, the authenticator overwrites the submitted secret with the mounted secret prior to the equality check. The comparison therefore always succeeds. Any client configured to use this authenticator accepts arbitrary client_secret values.

The impact is amplified by the privilege model in UDS Core. The uds-operator client uses this authenticator and holds permissions to register and modify other Keycloak clients. An attacker authenticating as uds-operator can pivot to broader control over the identity provider, alter redirect URIs, weaken authentication policies, or mint tokens for downstream services.

Root Cause

The defect is a logic error in the credential validation path of the client-kubernetes-secret authenticator. The submitted credential is assigned the value of the trusted secret before the comparison is performed, eliminating the security check. The validator returns success regardless of attacker-supplied input.

Attack Vector

Exploitation requires only network reachability to the Keycloak token endpoint and knowledge of a client_id that uses the vulnerable authenticator. The attacker sends a standard OAuth2 client_credentials grant request with the target client_id and any arbitrary client_secret. Keycloak returns an access token scoped to the client's service account. No user interaction or prior authentication is required.

No verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-8mg2-6588-r4hw for additional technical detail.

Detection Methods for CVE-2026-46389

Indicators of Compromise

  • Successful client_credentials grant requests to the Keycloak token endpoint from unexpected source IPs targeting clients that use the client-kubernetes-secret authenticator.
  • Token issuance events for the uds-operator client or other privileged service accounts outside of normal cluster reconciliation patterns.
  • Unexpected Keycloak admin API calls creating or modifying clients, redirect URIs, or protocol mappers shortly after token issuance.

Detection Strategies

  • Enable Keycloak event logging for CLIENT_LOGIN and CLIENT_LOGIN_ERROR events and forward to a centralized log pipeline for correlation.
  • Audit Keycloak admin events for CREATE, UPDATE, and DELETE actions on CLIENT resources, then alert on activity not originating from the GitOps pipeline.
  • Compare the client_id set using client-kubernetes-secret against an allowlist of expected service-to-service callers in your environment.

Monitoring Recommendations

  • Forward Keycloak audit and event streams to a centralized SIEM or data lake and retain them long enough to investigate post-disclosure activity.
  • Monitor egress from workloads holding uds-operator tokens for unexpected destinations or token reuse outside the cluster.
  • Alert on any change to Keycloak client configuration, authenticator bindings, or service account role mappings.

How to Mitigate CVE-2026-46389

Immediate Actions Required

  • Upgrade uds-identity-config to version 0.26.1 or later and redeploy the UDS Core Identity component to consume the patched image.
  • Rotate the Kubernetes secrets backing every Keycloak client that used the client-kubernetes-secret authenticator, including uds-operator.
  • Review Keycloak admin and client event logs since the deployment of any affected version for unexpected token issuance or client modifications.
  • Restrict network access to the Keycloak token and admin endpoints to trusted in-cluster sources where feasible.

Patch Information

Defense Unicorns released uds-identity-config version 0.26.1 to fix the credential comparison logic. Refer to the GitHub Release v0.26.1 for upgrade notes and to the GitHub Security Advisory GHSA-8mg2-6588-r4hw for advisory details. All deployments running 0.11.0 through 0.26.0 must upgrade.

Workarounds

  • If immediate upgrade is not possible, disable or unbind the client-kubernetes-secret authenticator from all Keycloak clients and switch affected clients to a standard client-secret or client-jwt authenticator.
  • Apply network policies that restrict access to the Keycloak token endpoint to authorized in-cluster service identities only.
  • Temporarily revoke service account roles on the uds-operator client until the patched image is deployed.
bash
# Verify the deployed uds-identity-config image version
kubectl -n keycloak get pods -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | grep uds-identity-config

# After upgrade, confirm version 0.26.1 or later is running
kubectl -n keycloak rollout status statefulset/keycloak

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne