9.8

CVE-2026-1709

Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication

A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.43% 0.917
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
secalert@redhat.com 9.4 3.9 5.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 9.4 3.9 5.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE-322 Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

https://access.redhat.com/security/cve/CVE-2026-1709
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2435514
Third Party Advisory
Issue Tracking
https://access.redhat.com/errata/RHSA-2026:2224
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:2225
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:2298
Third Party Advisory
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1709.json