Security Advisory - Published 2026-06-12 - UDS / Keycloak

UDS Identity Config CVE-2026-46389: Keycloak client auth self-check

CVE-2026-46389 affects UDS Identity Config versions 0.11.0 through 0.26.0. The issue sits in the client-kubernetes-secret Keycloak client authenticator used by UDS Core identity deployments. If affected clients are reachable, review service-account token activity as well as the version.

Defensive scope: this checklist is for owned clusters and approved Keycloak reviews. It does not include token endpoint probes, client-secret bypass attempts, or instructions for testing third-party identity systems.

Who is affected

  • Product: UDS Identity Config consumed by UDS Core's identity deployment.
  • Affected versions: 0.11.0 through 0.26.0.
  • Fixed version: 0.26.1.
  • Primary risk: improper client authentication for clients using the vulnerable authenticator.

Cluster inventory

helm list -A | grep -Ei 'uds|keycloak'
kubectl get pods,deploy,statefulset -A | grep -Ei 'uds|keycloak'
kubectl get configmap,secret -A | grep -Ei 'uds|identity|keycloak'

Confirm the image tag or release version actually running in the cluster. GitOps repos and Helm values can be ahead of the live deployment.

Keycloak areas to review

  • Clients configured with client-kubernetes-secret.
  • Service-account tokens issued after June 5, 2026, especially for operator-style clients.
  • Client create, update, delete, and role-mapping events in Keycloak admin/audit logs.
  • Unexpected client secrets, redirect URIs, service-account roles, or new clients.

Safe fix path

  1. Update UDS Identity Config to 0.26.1 or newer.
  2. Redeploy the identity stack and confirm Keycloak is using the fixed authenticator image/config.
  3. Rotate affected client secrets after the fixed deployment is live.
  4. Review service-account role assignments and remove privileges that are no longer needed.
  5. Keep Keycloak audit logs for the review window before pruning pods or old config.

When to request repair help

Use Ping7 CVE Repair if the Keycloak token endpoint is reachable from outside the cluster, you cannot map which clients use the authenticator, or service-account token events look unusual. Send the UDS Identity Config version, Keycloak exposure, and whether audit events are enabled.

References