Description
Exposed Keycloak management
service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug
information such as metrics and
health data. This issue affects Symmetric Key Agreement Platform: before 26.03.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arqit Symmetric Key Agreement Platform exposes its Keycloak management service, allowing unauthenticated users to retrieve sensitive debug information such as metrics and health data, thereby violating confidentiality. The weakness is classified as CWE-749, reflecting the vulnerability of revealing protected data through improper access controls.

Affected Systems

Vendors affected are Arqit, specifically the Symmetric Key Agreement Platform. Any installation using a version prior to 26.03 is vulnerable and must be updated to mitigate this issue.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity. EPSS data is unavailable and the vulnerability is not listed in CISA KEV. The likely attack vector is remote; an attacker who can reach the exposed Keycloak endpoint can retrieve discarded debug data without authentication. Exploitation does not require local privileges but depends on network reachability to the service.

Generated by OpenCVE AI on May 13, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Arqit Symmetric Key Agreement Platform to version 26.03 or later.
  • Restrict network access to the Keycloak management service using firewall rules and enforce role‑based permissions at the service level.
  • Disable or secure the debug metrics endpoint so that it requires proper authentication before exposing data.

Generated by OpenCVE AI on May 13, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Arqit
Arqit symmetric Key Agreement Platform
Vendors & Products Arqit
Arqit symmetric Key Agreement Platform

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26.03.
Title Arqit SKA-Platform Enables Access to Debug Information
Weaknesses CWE-749
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Arqit Symmetric Key Agreement Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-13T19:39:01.096Z

Reserved: 2026-03-23T12:53:47.473Z

Link: CVE-2026-33584

cve-icon Vulnrichment

Updated: 2026-05-13T19:38:32.211Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T19:17:07.183

Modified: 2026-05-14T17:19:49.973

Link: CVE-2026-33584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:55Z

Weaknesses