External risk intelligence

UDS Identity Config Client Secret Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46389

A logic error in UDS Identity Config allows attackers to bypass client secret checks, potentially enabling them to authenticate as legitimate clients and obtain OAuth2 tokens. This could lead to unauthorized modification of client configurations. Uncertainty exists regarding specific exploitable configurations and busi

5Halo Surface Signal

Authentication Bypass

Defenseunicorns Uds Identity Config

0.11.0 to before 0.26.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-46389

The vulnerability resides in a Keycloak client authenticator, which protects the token endpoint. As an identity provider component designed to handle OAuth2 authentication and token issuance for services, it is typically deployed as a public-facing service or an edge-accessible gateway to facilitate authentication for external users and clients.

PCI scan relevance

PCI Relevance for CVE-2026-46389

Yes

CVE-2026-46389 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows an attacker to authenticate as any client by bypassing secret comparison, potentially granting unauthorized access to sensitive data and system modifications, which would cause a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A logic error in the UDS Identity Config software allows unauthorized users to authenticate as legitimate clients and obtain security tokens. This could potentially enable an attacker to modify client configurations, impacting the integrity of the identity management system. The main concern is confirming relevance and exposure.

  • Authenticator flaw bypasses client secret checks.
  • Could allow unauthorized control of clients.
  • Confirm if your identity system is affected.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a crafted request to the Keycloak token endpoint. If the attacker knows a valid `client_id` that uses the vulnerable authenticator, they can bypass the `client_secret` validation. This allows them to obtain OAuth2 tokens with the privileges of that client, potentially leading to further system compromise.

  • Attacker needs network access and a client ID.
  • Triggered by sending a request to the token endpoint.
  • Allows unauthorized token acquisition and client management.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a logic error in the Keycloak client authenticator could allow an unauthenticated attacker who knows a `client_id` to impersonate that client and obtain OAuth2 tokens. These tokens could then be used to register or modify other clients.

  • Client credentials and service account tokens.
  • Unauthenticated access to token endpoint.
  • Unauthorized client management.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The UDS Identity Config component is likely managed by platform or infrastructure teams, with potential oversight from security or vendor management teams due to its role in identity and authentication. The initial step is to locate all instances of UDS Identity Config, determine their reachability and criticality, identify the accountable owner, and then plan remediation based on the assessed risk, coordinating with the vendor as needed.

  • Identify platform or infrastructure team owners.
  • Verify Keycloak token endpoint reachability.
  • Plan vendor-coordinated remediation.

Frequently asked questions

What is UDS Identity Config?

UDS Identity Config is a component used by Defense Unicorns' UDS Core to package and deploy Keycloak configurations. It manages essential items like realms, security plugins, themes, and truststores to standardize identity and access management across Kubernetes environments. By automating these settings, it ensures that services have the necessary instructions to authenticate users and manage tokens securely.

What does CVE-2026-46389 mean for authentication security?

This vulnerability involves a logic error, specifically classified under Improper Authentication (CWE-287) and Incorrect Implementation of Authentication Algorithm (CWE-303). It occurs because the system mistakenly replaces the provided client secret with a stored Kubernetes secret during verification. This flaw effectively disables the password check, allowing an attacker to impersonate clients and gain unauthorized OAuth2 tokens.

How is this vulnerability triggered?

An attacker triggers this bug by sending a request to the Keycloak token endpoint. They must possess a valid `client_id` configured to use the affected authenticator. Simply possessing an ID is enough to bypass the secret check; however, the vulnerability is not triggered if the `client_id` is unknown or if the service does not utilize the vulnerable `client-kubernetes-secret` authentication logic.

Is my deployment at risk according to Halo Surface Signal?

Halo Surface Signal indicates that because this vulnerability exists within a Keycloak client authenticator, it is highly relevant for most users. Since Keycloak acts as a central identity provider, it is frequently deployed as a public-facing service or an edge-accessible gateway. If your instance is reachable over the network, it is considered very likely that the token endpoint could be exposed to unauthorized access.

What steps should I take to address this?

Your first step is to identify all running instances of UDS Identity Config within your environment and verify their version numbers. If you are running any version from 0.11.0 through 0.26.0, you are affected. Coordinate with your platform or infrastructure teams to update to version 0.26.1, which includes the necessary patch to correct the secret validation logic and restore secure authentication.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified