CVE-2026-1709
Unknown Unknown - Not Provided
TLS Authentication Bypass in Keylime Registrar Allows Unauthorized Admin Access

Publication date: 2026-02-06

Last updated on: 2026-03-05

Assigner: Red Hat, Inc.

Description
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1709
EUVD
EUVD-2026-5599
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
keylime keylime to 7.12.0 (exc)
redhat enterprise_linux 9.0
redhat enterprise_linux_for_arm_64 9.0_aarch64
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
redhat enterprise_linux 10.0
redhat enterprise_linux_eus 10.0
redhat enterprise_linux_for_arm_64 10.0_aarch64
redhat enterprise_linux_for_arm_64_eus 10.0_aarch64
redhat enterprise_linux_for_ibm_z_systems 10.0_s390x
redhat enterprise_linux_for_ibm_z_systems_eus 10.0_s390x
redhat enterprise_linux_for_power_little_endian 10.0_ppc64le
redhat enterprise_linux_for_power_little_endian_eus 10.0_ppc64le
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-322 The product performs a key exchange with an actor without verifying the identity of that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability exists in the Keylime registrar starting from version 7.12.0, where client-side Transport Layer Security (TLS) authentication is not enforced due to a misconfiguration. Specifically, the TLS context is set without requiring client certificates (ssl.CERT_REQUIRED is not set). As a result, unauthenticated clients with network access can bypass authentication and perform administrative operations on the registrar.'}, {'type': 'list_item', 'content': 'Unauthenticated clients can list agents.'}, {'type': 'list_item', 'content': 'They can retrieve public Trusted Platform Module (TPM) data.'}, {'type': 'list_item', 'content': 'They can delete agents.'}, {'type': 'paragraph', 'content': "Exploitation only requires network access to the registrar's HTTPS port (default 8891) and a standard HTTP client like curl or wget, without needing any credentials or certificates."}] [1]

Impact Analysis

This vulnerability can have serious impacts because it allows unauthorized users to perform administrative actions on the Keylime registrar without authentication.

  • Attackers can list all agents managed by the registrar, potentially exposing sensitive system information.
  • They can retrieve public TPM data, which might be used to further compromise system security.
  • Attackers can delete agents, disrupting system operations and trust verification processes.

Since no credentials or special tools are needed, and only network access is required, the vulnerability is highly exploitable, leading to confidentiality, integrity, and availability impacts.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to connect to the Keylime registrar's HTTPS port (default 8891) without presenting a client certificate and checking if administrative operations are allowed."}, {'type': 'paragraph', 'content': 'For example, you can use standard HTTP clients like curl or wget to test if you can perform administrative actions such as listing agents without authentication.'}, {'type': 'list_item', 'content': 'curl -k https://<registrar_host>:8891/v1/agents'}, {'type': 'list_item', 'content': 'wget --no-check-certificate https://<registrar_host>:8891/v1/agents -O -'}, {'type': 'paragraph', 'content': 'If these commands return data without requiring a client certificate, the vulnerability is present.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict network access to port 8891 on the Keylime registrar by applying firewall rules to allow only trusted verifier and tenant hosts.
  • Deploy a reverse proxy such as nginx or HAProxy in front of the registrar to enforce mutual TLS (mTLS) client certificate authentication.
  • Upgrade Keylime to a fixed version that enforces client certificate validation by setting ssl.CERT_REQUIRED in the TLS context.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart