CVE-2026-1709: Keylime Missing Authentication for Critical Function and Improper Authentication
(updated )
The Keylime registrar does not enforce mutual TLS (mTLS) client certificate authentication since version 7.12.0. The registrar’s TLS context is configured with ssl.CERT_OPTIONAL instead of ssl.CERT_REQUIRED, allowing any client to connect to protected API endpoints without presenting a valid client certificate.
Who is impacted:
- All Keylime deployments running versions 7.12.0 through 7.13.0
- Environments where the registrar HTTPS port (default 8891) is network-accessible to untrusted clients
What an attacker can do:
- List all registered agents (
GET /v2/agents/) - enumerate the entire agent inventory - Retrieve agent details (
GET /v2/agents/{uuid}) - obtain public TPM keys, certificates, and network locations (IP/port) of any agent - Delete any agent (
DELETE /v2/agents/{uuid}) - remove agents from the registry, disrupting attestation services
Note: The exposed TPM data (EK, AK, certificates) consists of public keys and certificates. Private keys remain protected within TPM hardware. The HMAC secret used for challenge-response validation is stored in the database but is not exposed via the API.
Affected versions: >= 7.12.0, <= 7.13.0
Fixed versions: 7.12.2, >= 7.13.1
References
- access.redhat.com/errata/RHSA-2026:2224
- access.redhat.com/errata/RHSA-2026:2225
- access.redhat.com/errata/RHSA-2026:2298
- access.redhat.com/security/cve/CVE-2026-1709
- bugzilla.redhat.com/show_bug.cgi?id=2435514
- github.com/advisories/GHSA-4jqp-9qjv-57m2
- github.com/keylime/keylime/security/advisories/GHSA-4jqp-9qjv-57m2
- github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2026-74.yaml
- nvd.nist.gov/vuln/detail/CVE-2026-1709
Code Behaviors & Features
Detect and mitigate CVE-2026-1709 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →