CVE-2026-1709: Keylime Missing Authentication for Critical Function and Improper Authentication

The Keylime registrar does not enforce mutual TLS (mTLS) client certificate authentication since version 7.12.0. The registrar’s TLS context is configured with ssl.CERT_OPTIONAL instead of ssl.CERT_REQUIRED, allowing any client to connect to protected API endpoints without presenting a valid client certificate.

Who is impacted:

• All Keylime deployments running versions 7.12.0 through 7.13.0
• Environments where the registrar HTTPS port (default 8891) is network-accessible to untrusted clients

What an attacker can do:

• List all registered agents (GET /v2/agents/) - enumerate the entire agent inventory
• Retrieve agent details (GET /v2/agents/{uuid}) - obtain public TPM keys, certificates, and network locations (IP/port) of any agent
• Delete any agent (DELETE /v2/agents/{uuid}) - remove agents from the registry, disrupting attestation services

Note: The exposed TPM data (EK, AK, certificates) consists of public keys and certificates. Private keys remain protected within TPM hardware. The HMAC secret used for challenge-response validation is stored in the database but is not exposed via the API.

Affected versions: >= 7.12.0, <= 7.13.0

Fixed versions: 7.12.2, >= 7.13.1