Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

defenseunicorns

Source -

CNANVD

BOS Name -

N/A

CNA CVEs -

2

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

1
Related CVEsRelated ProductsRelated AssignersReports
2Vulnerabilities found
CVE-2026-46389
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-Not Assigned
Published-05 Jun, 2026 | 18:10
Updated-05 Jun, 2026 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.

Action-Not Available
Vendor-defenseunicorns
Product-uds-identity-config
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CVE-2026-23634
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-4.3||NONE
EPSS-0.02% / 4.32%
||
7 Day CHG~0.00%
Published-16 Jan, 2026 | 19:14
Updated-04 Mar, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pepr Overly Permissive RBAC ClusterRole in Admin Mode

Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.

Action-Not Available
Vendor-defenseunicornsdefenseunicorns
Product-peprpepr
CWE ID-CWE-272
Least Privilege Violation