CVE Catalog

CVE-2026-1709

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
5.75%

92th percentile - higher than 92% of all known CVEs

Summary

In Keylime since version 7.12.0, client-side TLS authentication is not enforced. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public TPM data, and deleting agents, without presenting a client certificate.

Risk Assessment

The risk involves unauthorized access to sensitive data and administrative operations, potentially compromising the integrity and confidentiality of systems managed by Keylime.

Recommendation

Immediately update Keylime to a version that enforces client-side TLS authentication and configure mandatory client certificates for all connections to the registrar.

Original NVD description (English source)

A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS