What is the CVSS score of CVE-2026-46389?

CVE-2026-46389 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

How to fix or mitigate CVE-2026-46389?

Within 24 hours: Identify all deployments running UDS Identity Config versions 0.11.0-0.26.0; audit Keycloak clients configured with the `client-kubernetes-secret` authenticator; review recent authentication logs for suspicious client token requests. Within 7 days: Upgrade UDS Identity Config to version 0.26.1 or later; rotate all Keycloak client secrets after upgrade; validate authentication functionality for all dependent services. Within 30 days: Conduct post-remediation review of authentication logs; implement enhanced monitoring for anomalous Keycloak client activity; review and restrict permissions for Keycloak client registration and modification.

UDS Identity Config CVE-2026-46389

Q: Which versions of UDS Identity Config are affected by CVE-2026-46389?

An authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0-0.26.0 allows unauthenticated remote attackers to impersonate Keycloak clients and achieve full identity-plane…. A patch is available.

EUVD-2026-34879 CRITICAL

Improper Authentication (CWE-287)

2026-06-05 GitHub_M

Authentication Bypass Kubernetes

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 05, 2026 - 20:02 EUVD

Source Code Evidence Fetched

Jun 05, 2026 - 19:21 vuln.today

Analysis Generated

Jun 05, 2026 - 19:21 vuln.today

CVE Published

Jun 05, 2026 - 18:10 nvd

CRITICAL 10.0

DescriptionNVD

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the client-kubernetes-secret Keycloak client authenticator (shipped by uds-identity-config and consumed by UDS Core) causes the submitted client_secret to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a client_id using this authenticator can authenticate as that client with any client_secret value and obtain OAuth2 tokens scoped to the client's service account. In the case of the uds-operator client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

AnalysisAI

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows unauthenticated remote attackers to impersonate any Keycloak client that uses the client-kubernetes-secret authenticator by submitting an arbitrary client_secret to the token endpoint. Because compromising the uds-operator client enables registration and modification of other Keycloak clients, this maximum-severity (CVSS 10.0) flaw can cascade into full identity-plane takeover of a UDS Core deployment. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed UDS Core Keycloak endpoint

Delivery

Enumerate known client_id (uds-operator)

Exploit

POST client_credentials with arbitrary client_secret

Install

Receive valid OAuth2 access token

Call Keycloak admin API as uds-operator

Execute

Impact

Persist identity-plane takeover

Recon

Identify exposed UDS Core Keycloak endpoint

Delivery

Enumerate known client_id (uds-operator)

Exploit

POST client_credentials with arbitrary client_secret

Install

Receive valid OAuth2 access token

Call Keycloak admin API as uds-operator

Execute

Impact

Persist identity-plane takeover

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) network reachability to the targeted Keycloak instance's OAuth2 token endpoint deployed via UDS Core's Identity component, (2) knowledge of a `client_id` whose Keycloak client is configured to use the `client-kubernetes-secret` authenticator shipped by UDS Identity Config 0.11.0-0.26.0 (the high-value target is the `uds-operator` client, whose ID is well-known in UDS Core), and (3) the affected version range being deployed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H maxes out at 10.0 and is consistent with the description: the Keycloak token endpoint is reachable over the network, no privileges or user interaction are needed, and scope changes because authentication as `uds-operator` lets the attacker pivot to controlling other Keycloak clients (a different trust domain). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who can reach the Keycloak token endpoint of a UDS Core deployment (for example via an exposed ingress or from a compromised in-cluster pod) issues an OAuth2 client_credentials request to `/realms/uds/protocol/openid-connect/token` with `client_id=uds-operator` and any arbitrary `client_secret` such as `x`. The vulnerable authenticator overwrites the submitted secret with the mounted Kubernetes Secret before comparison, so the token endpoint returns a valid access token scoped to the `uds-operator` service account. …
Remediation	Vendor-released patch: upgrade UDS Identity Config to v0.26.1 or later (https://github.com/defenseunicorns/uds-identity-config/releases/tag/v0.26.1) and redeploy the Keycloak configuration image so UDS Core picks up the corrected `client-kubernetes-secret` authenticator; review the advisory at https://github.com/defenseunicorns/uds-identity-config/security/advisories/GHSA-8mg2-6588-r4hw for any required follow-up steps. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployments running UDS Identity Config versions 0.11.0-0.26.0; audit Keycloak clients configured with the client-kubernetes-secret authenticator; review recent authentication logs for suspicious client token requests. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-32193 HIGH This Week

8.8 Jun 09

Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path travers

CVE-2026-44180 CRITICAL Act Now

9.8 Jun 03

Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers t

CVE-2026-53474 CRITICAL Act Now

9.6 Jun 10

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools

CVE-2026-45730 HIGH This Week

8.3 Jun 04

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Function

CVE-2026-45726 HIGH This Week

7.6 Jun 05

Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users wi

CVE-2026-46389 vulnerability details – vuln.today

Back

UDS Identity Config CVE-2026-46389

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code