Description
Exposure of the QKEY (used as
input into the ‘OTA-Quantum’ device registration process) and internal
system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.

This issue affects Symmetric Key Agreement Platform: before 26.03.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to retrieve the QKEY used for the ‘OTA-Quantum’ device registration process, as well as other internal system keys, by issuing a simple HTTP GET request. The exposed keys are transmitted over an unencrypted channel and do not require any authentication. This flaw is a classic example of weak access control (CWE‑749) and can lead to compromise of cryptographic material, undermining the security of the entire key agreement process.

Affected Systems

Arqit Symmetric Key Agreement Platform, all releases prior to version 26.03.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. Although an EPSS score is not available, the lack of authentication and encryption means any actor with network reach to the platform can exploit the flaw immediately, making exploitability likely. The vulnerability is not listed in the CISA KEV catalog, but its potential to compromise key material warrants urgent attention. Attackers would simply send an unauthenticated HTTP GET request to the vulnerable endpoint, read the plaintext key data, and then use those keys to impersonate devices or decrypt protected communications.

Generated by OpenCVE AI on May 13, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Arqit Symmetric Key Agreement Platform to version 26.03 or later.
  • Disable or secure the HTTP GET endpoint that exposes the QKEY, requiring authentication and TLS.
  • Restrict network access to the platform and monitor for any unintended key disclosures.

Generated by OpenCVE AI on May 13, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Arqit
Arqit symmetric Key Agreement Platform
Vendors & Products Arqit
Arqit symmetric Key Agreement Platform

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform. This issue affects Symmetric Key Agreement Platform: before 26.03.
Title Arqit SKA-Platform Vulnerable to Key Exposure
Weaknesses CWE-749
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Arqit Symmetric Key Agreement Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-13T18:57:55.074Z

Reserved: 2026-03-23T12:53:47.473Z

Link: CVE-2026-33583

cve-icon Vulnrichment

Updated: 2026-05-13T18:57:45.502Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T19:17:06.873

Modified: 2026-05-14T17:07:07.030

Link: CVE-2026-33583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:02Z

Weaknesses