Description
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
Published: 2026-02-06
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized administrative operations via TLS client authentication bypass
Action: Apply patch
AI Analysis

Impact

The Keylime registrar, used to authenticate and manage TPM‑based agents, has a flaw in all releases since 7.12.0. The registrar never demands a client certificate over its HTTPS interface, allowing any host that can reach port 8891 to connect without authentication. Once connected, the attacker can invoke administrative APIs that list agents, retrieve public TPM data, or delete agents. This bypass eliminates the required client‑side TLS authentication, effectively giving unauthenticated consumers privileged access to agent metadata and the ability to remove agents, compromising confidentiality, integrity, and availability of the managed infrastructure.

Affected Systems

Red Hat Enterprise Linux 9 and 10 systems running Keylime versions 7.12.0 or newer are affected. The issue is present in the Red Hat packages that ship with these operating systems, as indicated by the advisories added to RHSA‑2026:2224, RHSA‑2026:2225, and RHSA‑2026:2298.

Risk and Exploitability

The vulnerability carries a CVSS v3.1 score of 9.4, indicating high severity, but the EPSS score of less than 1 % suggests exploitation is considered improbable at present. The attack surface is the publicly reachable HTTPS port 8891; an attacker only needs network connectivity to the registrar and does not require local privileges. It is not listed in the CISA KEV catalog, implying no known community exploits yet. Nonetheless, the combination of high impact and ease of network reach warrants immediate attention.

Generated by OpenCVE AI on April 16, 2026 at 17:23 UTC.

Remediation

Vendor Workaround

Restrict network access to the Keylime registrar's HTTPS port (default 8891) to only trusted verifier and tenant hosts using firewall rules. Alternatively, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the registrar to enforce client certificate authentication. Ensure any changes to firewall rules or proxy configurations are reloaded or services are restarted for the mitigation to take effect.

OpenCVE Recommended Actions

  • Apply the security updates referenced in RHSA‑2026:2224, RHSA‑2026:2225, or RHSA‑2026:2298 to the Keylime packages on your Red Hat systems
  • Restrict inbound traffic to the registrar’s HTTPS port 8891 so that only known verifier and tenant hosts can reach it; use firewall rules to block all other hosts
  • If you cannot apply the patch immediately, deploy a reverse proxy such as Nginx or HAProxy in front of the registrar to enforce client‑certificate authentication, and reload or restart the services after reconfiguration

Generated by OpenCVE AI on April 16, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4jqp-9qjv-57m2 Keylime Missing Authentication for Critical Function and Improper Authentication
History

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Keylime
Keylime keylime
Redhat enterprise Linux For Arm 64
Redhat enterprise Linux For Arm 64 Eus
Redhat enterprise Linux For Ibm Z Systems
Redhat enterprise Linux For Ibm Z Systems Eus
Redhat enterprise Linux For Power Little Endian
Redhat enterprise Linux For Power Little Endian Eus
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:keylime:keylime:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:10.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:10.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:10.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:10.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:10.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:10.0_ppc64le:*:*:*:*:*:*:*
Vendors & Products Keylime
Keylime keylime
Redhat enterprise Linux For Arm 64
Redhat enterprise Linux For Arm 64 Eus
Redhat enterprise Linux For Ibm Z Systems
Redhat enterprise Linux For Ibm Z Systems Eus
Redhat enterprise Linux For Power Little Endian
Redhat enterprise Linux For Power Little Endian Eus

Mon, 09 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
References

Mon, 09 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9		 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:10.1
References

Sat, 07 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
Title Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-322
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Keylime Keylime
Redhat Enterprise Linux Enterprise Linux Eus Enterprise Linux For Arm 64 Enterprise Linux For Arm 64 Eus Enterprise Linux For Ibm Z Systems Enterprise Linux For Ibm Z Systems Eus Enterprise Linux For Power Little Endian Enterprise Linux For Power Little Endian Eus
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-05T21:48:12.328Z

Reserved: 2026-01-30T17:00:54.761Z

Link: CVE-2026-1709

cve-icon Vulnrichment

Updated: 2026-02-06T19:38:25.955Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:09.193

Modified: 2026-03-05T20:58:02.720

Link: CVE-2026-1709

cve-icon Redhat

Severity : Critical

Publid Date: 2026-02-06T17:45:00Z

Links: CVE-2026-1709 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses