CRITICALCVE-2026-1709Published Modified CNA redhat
CVE-2026-1709: Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
Metrics
- CVSS v3.1
- 9.4
- Severity
- CRITICAL
- Fixed in
- 0:7.12.1-2.el10_0.5
- Affected Products
- 3
Fix available
0:7.12.1-2.el10_0.50:7.12.1-11.el10_1.40:7.12.1-11.el9_7.4
Affected packages
- Red Hat / Red Hat Enterprise Linux 10Fixed in 0:7.12.1-11.el10_1.4
- Red Hat / Red Hat Enterprise Linux 10.0 Extended Update SupportFixed in 0:7.12.1-2.el10_0.5
- Red Hat / Red Hat Enterprise Linux 9Fixed in 0:7.12.1-11.el9_7.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H