CVE-2026-46389

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the client-kubernetes-secret Keycloak client authenticator (shipped by uds-identity-config and consumed by UDS Core) causes the submitted client secret to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a client id using this authenticator can authenticate as that client with any client secret value and obtain OAuth2 tokens scoped to the client's service account. In the case of the uds-operator client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.