PatchSiren cyber security CVE debrief
CVE-2026-46389 defenseunicorns CVE debrief
CVE-2026-46389 is a CRITICAL vulnerability in UDS Identity Config's Keycloak configuration image. A logic error in the `client-kubernetes-secret` Keycloak client authenticator, shipped by `uds-identity-config` and consumed by UDS Core, causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. This allows an attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator to authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client, this token can be used to registry/modify other clients. The issue was patched in version 0.26.1.
- Vendor
- defenseunicorns
- Product
- uds-identity-config
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of UDS Identity Config versions 0.11.0 through 0.26.0 should be aware of this vulnerability and take action to patch their systems.
Technical summary
A logic error in the `client-kubernetes-secret` Keycloak client authenticator causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. This allows an attacker to authenticate as a client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade to version 0.26.1 or later to patch the issue.
- Restrict access to the Keycloak token endpoint to prevent unauthorized access.
Evidence notes
The CVE-2026-46389 vulnerability was patched in version 0.26.1. References: [ref-4](https://github.com/defenseunicorns/uds-identity-config/releases/tag/v0.26.1), [ref-5](https://github.com/defenseunicorns/uds-identity-config/security/advisories/GHSA-8mg2-6588-r4hw).
Official resources
CVE-2026-46389 was published on 2026-06-05T19:16:32.703Z and modified on 2026-06-05T19:21:22.423Z.