The vulnerability in uds-identity-config arises from a logic error in the `client-kubernetes-secret` Keycloak client authenticator, where the submitted client_secret is overwritten with the mounted Kubernetes secret before comparison. This flaw allows an attacker with network access to the Keycloak token endpoint and knowledge of a client_id to bypass proper client_secret validation and obtain OAuth2 tokens with the privileges of that client. The impact is significant, especially for the uds-operator client, which can use the token to register or modify other clients. The issue affects versions from 0.11.0 up to but not including 0.26.1, which contains the fix.

Successful exploitation allows an unauthenticated attacker to impersonate any client configured with the vulnerable authenticator by bypassing client_secret verification. This leads to unauthorized issuance of OAuth2 tokens with full client service account privileges, including the ability to modify or register clients in the Keycloak realm. The vulnerability has a CVSS 3.1 score of 10.0 (critical), indicating complete confidentiality, integrity, and availability compromise within the affected system.

Version 0.26.1 of uds-identity-config contains a patch that fixes this authentication bypass vulnerability. Users should upgrade to version 0.26.1 or later to remediate the issue. No vendor advisory or official patch link was provided, so verify the upgrade availability and instructions from the defenseunicorns project repository or official channels. Patch status is not yet confirmed via vendor advisory; check the vendor's official resources for the latest remediation guidance.