Joelmccoy

**Name of the Vulnerable Software and Affected Versions** UDS Identity Config versions 0.11.0 through 0.26.0 **Description** A logic error exists in the `client-kubernetes-secret` Keycloak client authenticator. This error causes the submitted `client secret` to be overwritten with the mounted Kubernetes secret before the comparison occurs. An attacker who can access the Keycloak token endpoint and knows a `client id` using this authenticator can authenticate as that client using any value for the `client secret` to obtain OAuth2 tokens scoped to the client's service account. If the `uds-operator` client is targeted, the obtained token can be used to register or modify other clients. **Recommendations** Update to version 0.26.1.