A critical authentication bypass in Kubernetes UDS Identity Config allows attackers to impersonate clients and gain unauthorized access to service accounts.

A logic error in the client-kubernetes-secret Keycloak client authenticator causes the user-submitted client_secret to be overwritten by the mounted Kubernetes secret before comparison. This allows an attacker who knows a client_id to authenticate with an arbitrary secret and obtain tokens scoped to that client's service account.

With a CVSS score of 10.0, this vulnerability represents the highest level of risk. An attacker can gain broad administrative or service-level access, such as the ability to modify other clients via the uds-operator token, potentially leading to a full compromise of the identity management system and associated services.

Immediate Action: Update UDS Identity Config to version 0.26.1 or later.

Proactive Monitoring: Monitor Keycloak authentication logs for unusual token request patterns or authentication attempts using unexpected client secrets.

Compensating Controls: Restrict access to the Keycloak token endpoint at the network or ingress controller level to limit the exposure of the identity service.

Public Exploit Available: False

Immediate remediation is required due to the CVSS 10.0 rating and the potential for complete identity provider compromise. Organizations must upgrade to version 0.26.1 and review all recent authentication activity for signs of unauthorized token generation.