Security Advisory - Published 2026-06-12 - UDS / Keycloak
UDS Identity Config CVE-2026-46389: Keycloak client auth self-check
CVE-2026-46389 affects UDS Identity Config versions 0.11.0 through 0.26.0. The issue
sits in the client-kubernetes-secret Keycloak client authenticator used by
UDS Core identity deployments. If affected clients are reachable, review service-account
token activity as well as the version.
Who is affected
- Product: UDS Identity Config consumed by UDS Core's identity deployment.
- Affected versions: 0.11.0 through 0.26.0.
- Fixed version: 0.26.1.
- Primary risk: improper client authentication for clients using the vulnerable authenticator.
Cluster inventory
helm list -A | grep -Ei 'uds|keycloak'
kubectl get pods,deploy,statefulset -A | grep -Ei 'uds|keycloak'
kubectl get configmap,secret -A | grep -Ei 'uds|identity|keycloak' Confirm the image tag or release version actually running in the cluster. GitOps repos and Helm values can be ahead of the live deployment.
Keycloak areas to review
- Clients configured with
client-kubernetes-secret. - Service-account tokens issued after June 5, 2026, especially for operator-style clients.
- Client create, update, delete, and role-mapping events in Keycloak admin/audit logs.
- Unexpected client secrets, redirect URIs, service-account roles, or new clients.
Safe fix path
- Update UDS Identity Config to 0.26.1 or newer.
- Redeploy the identity stack and confirm Keycloak is using the fixed authenticator image/config.
- Rotate affected client secrets after the fixed deployment is live.
- Review service-account role assignments and remove privileges that are no longer needed.
- Keep Keycloak audit logs for the review window before pruning pods or old config.
When to request repair help
Use Ping7 CVE Repair if the Keycloak token endpoint is reachable from outside the cluster, you cannot map which clients use the authenticator, or service-account token events look unusual. Send the UDS Identity Config version, Keycloak exposure, and whether audit events are enabled.