CVE-2026-1709

CWE-322 CWE-295 — Improper Certificate Validation CWE-306 — Missing Authentication7 documents7 sources

Severity

9.8CRITICAL

EPSS

0.0%

top 88.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Keylime Keylime Redhat Enterprise Linux Redhat Enterprise Linux EUS +6 more

Timeline

PublishedFeb 6

Description

A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:HExploitability: 3.9 | Impact: 5.5

Affected Packages2 packages

▶PyPIkeylime7.12.0 — 7.12.2+1

▶NVDkeylime/keylime< 7.12.0

Also affects: Enterprise Linux 10.0, 9.0

🔴Vulnerability Details

CVEList

Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication↗2026-02-06

▶

OSV

Keylime Missing Authentication for Critical Function and Improper Authentication↗2026-02-06

▶

GHSA

Keylime Missing Authentication for Critical Function and Improper Authentication↗2026-02-06

▶

📋Vendor Advisories

Red Hat

keylime: Keylime: Authentication bypass allows unauthorized administrative operations due to missing client-side TLS authentication↗2026-02-06

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1709 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶