Description
Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session.



This issue affects Symmetric Key Agreement Platform: before 26.03.
Published: 2026-05-13
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform allows an attacker to impersonate an authenticated tenant user while a browser session remains unexpired. This vulnerability enables unauthorized access to tenant resources, potentially compromising confidentiality or integrity of sensitive data within the affected tenant. The weakness, identified as CWE-233, represents an insecure design flaw that permits session hijacking or reuse in a way that an attacker can pose as a legitimate user.

Affected Systems

The vulnerability applies to the Arqit Symmetric Key Agreement Platform, affecting all releases prior to version 26.03. No specific sub‑components are listed, and only the vendor product name and the cut‑off version are identified.

Risk and Exploitability

With a CVSS score of 3.8 and no EPSS probability reported, the overall risk is considered low to moderate. The attack requires access to a valid browser session that has not timed out, so the attacker must be able to exploit session reuse or maintain a session from an elsewhere location. Since the vulnerability is not listed in CISA’s KEV catalog, there is no evidence of documented exploitation, but an attacker could still conduct targeted session impersonation within the tenant ecosystem.

Generated by OpenCVE AI on May 13, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the idle timeout in Keycloak to a short, secure duration and enforce immediate session expiry.
  • Require re‑authentication or additional verification for any privileged or sensitive tenant operations to mitigate the impact of a hijacked session.
  • Apply any vendor patch or update for the Arqit Symmetric Key Agreement Platform when it becomes available.

Generated by OpenCVE AI on May 13, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Arqit
Arqit symmetric Key Agreement Platform
Vendors & Products Arqit
Arqit symmetric Key Agreement Platform

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session. This issue affects Symmetric Key Agreement Platform: before 26.03.
Title Arqit SKA-Platform Improper Handling of Parameters Vulnerability
Weaknesses CWE-233
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

Arqit Symmetric Key Agreement Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-13T19:31:17.058Z

Reserved: 2026-03-23T12:53:47.473Z

Link: CVE-2026-33585

cve-icon Vulnrichment

Updated: 2026-05-13T19:31:12.596Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T19:17:07.330

Modified: 2026-05-14T17:19:49.973

Link: CVE-2026-33585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:54Z

Weaknesses
  • CWE-233

    Improper Handling of Parameters