CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-1709

Keylime Pie with a Side of Open Access: The CVE-2026-1709 Deep Dive

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 6, 2026·5 min read·86 visits

Executive Summary (TL;DR)

The Keylime Registrar, which manages TPM identities, had its mTLS verification set to 'Optional' instead of 'Required'. This allows any unauthenticated attacker with network access to query or delete agent records, effectively bypassing the entire security model of the registrar component. Fixed in versions 7.12.2 and 7.13.1.

A critical authentication bypass in Keylime, a CNCF project designed for remote boot attestation using TPMs. ironically, the component responsible for verifying trust (the Registrar) was configured to treat client certificates as 'optional' due to a logic error in the TLS initialization code. This allows unauthenticated attackers to wipe agent data, retrieve TPM metadata, and effectively blind the attestation service.

The Gatekeeper That Left the Gate Open

Keylime is the sort of tool you deploy when you are paranoid. It is a Cloud Native Computing Foundation (CNCF) project built for remote boot attestation. It uses Trusted Platform Modules (TPMs) to cryptographically prove that a remote server hasn't been tampered with. It is the digital equivalent of a guard dog that checks your ID badge, scans your retina, and takes a blood sample before letting you into the data center.

At the heart of this paranoid ecosystem sits the Registrar. The Registrar is the database of record for all Keylime agents. When a new node comes online, it talks to the Registrar. When the Verifier needs to check a node's integrity, it talks to the Registrar. Because this component holds the public keys and metadata for the entire fleet, it is supposed to be locked down tighter than a drum. Access is strictly controlled via Mutual TLS (mTLS).

Or at least, it was supposed to be. In version 7.12.0, a change was introduced that turned that snarling guard dog into a golden retriever. Instead of demanding a valid client certificate, the Registrar was configured to merely suggest one. If you showed up without ID, it just wagged its tail and let you in.

SSL Context: Optional or Mandatory?

To understand this bug, you have to understand Python's ssl module. It offers a few modes for verification, specifically CERT_REQUIRED and CERT_OPTIONAL.

To a weary developer or a rushed sysadmin, CERT_OPTIONAL sounds like a reasonable fallback: "Check the cert if they have one, but maybe let them handle authentication at the application layer if they don't." That is not what it does in this context.

When verify_mode is set to ssl.CERT_OPTIONAL, the server requests a certificate during the TLS handshake. If the client sends one, the server validates it. If the client sends nothing, the server says, "Fair enough, come on in." It is the "Fail Open" of cryptography. For a system like Keylime, which relies entirely on mTLS for authentication (it doesn't typically use passwords or tokens for these service-to-service calls), setting this mode is equivalent to removing the lock from the door entirely.

The One-Line Catastrophe

The vulnerability lived in keylime/web/base/server.py. The initialization logic for the web server creates an SSL context. Interestingly, the helper function web_util.init_mtls actually did its job correctly—it returned a context with verification set to CERT_REQUIRED.

But then, the Server class explicitly overruled it. Here is the smoking gun from the vulnerable code:

def _use_config(self, component: str) -> None:
    # ... configuration loading ...
    self._ssl_ctx = web_util.init_mtls(component)
    self._ssl_ctx.verify_mode = CERT_OPTIONAL  # <--- The root of all evil

That single line, added in version 7.12.0, effectively disabled the security model for the Registrar. It explicitly told the SSL context to stop enforcing the requirement for client certificates. The fix, implemented in commit a37fe134e6d22e52f5cbd07e0c9bfca9d5c8a31d, was embarrassingly simple: just delete the line.

Knocking on the Unlocked Door

Exploiting this does not require a zero-day in the kernel or heap Feng Shui. It requires curl. Because the server negotiates the TLS handshake without demanding a certificate, any tool that speaks HTTPS can interact with the API.

The Attack Chain:

  1. Recon: Identify a Keylime Registrar. It typically listens on port 8891.
  2. Access: Send a request without providing a client certificate.
# List all agents (The "Who is here?" attack)
curl -k https://target-registrar:8891/agents/
 
# Delete an agent (The Denial of Service attack)
curl -X DELETE -k https://target-registrar:8891/agents/c4a929fe-2e3b-4652-9b55-bf3c7e583c88

> [!NOTE] > The -k flag in curl is necessary because the attacker likely doesn't trust the server's CA, but the irony is that the server doesn't care if it trusts the attacker.

In a proper mTLS setup, the handshake would fail before the HTTP request is ever processed. Here, the handshake succeeds, and the Python application processes the request as an anonymous user, which the code logic failed to reject.

The Impact: Blinded by the Light

Why should you panic? If an attacker can delete agents from the Registrar, the Verifier (the component that checks health) loses track of them. The system effectively goes blind. You could have a compromised node in your cluster, but if the attacker deletes its registration, Keylime stops monitoring it.

Furthermore, the Registrar API exposes public keys and TPM metadata. While not as critical as private keys, this information allows an attacker to map out the infrastructure, identify specific hardware (via TPM Endorsement Keys), and prepare for more sophisticated attacks against specific nodes.

This is a CVSS 9.4 for a reason. It is network-accessible, requires no privileges, and completely undermines the integrity and availability of the trust system.

Restoring Sanity

The fix is straightforward: upgrade. The Keylime team patched this in versions 7.12.2 and 7.13.1 by removing the offending line of code.

If you cannot upgrade immediately:

  1. Firewall Rules: The Registrar should not be exposed to the open internet. Restrict access to port 8891 to only the IP addresses of your Verifier and Tenant nodes.
  2. Reverse Proxy: Put Nginx or HAProxy in front of the Registrar. Configure the proxy to perform the mTLS termination. If the proxy demands a certificate, the request will never reach the vulnerable Python code without one.

Official Patches

Keylime GitHubPatch commit for v7.12.x branch
Red HatRed Hat Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
9.4/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

Keylime Registrar 7.12.0Keylime Registrar 7.13.0Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10

Affected Versions Detail

Product
Affected Versions
Fixed Version
Keylime
Keylime Project
>= 7.12.0, <= 7.13.07.13.1
Red Hat Enterprise Linux
Red Hat
9Determined by package manager
AttributeDetail
CWE IDCWE-322 (Key Exchange without Entity Authentication)
CVSS Score9.4 (Critical)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
ImpactHigh (Confidentiality, Integrity, Availability)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1562Impair Defenses
Defense Evasion
T1046Network Service Discovery
Discovery
CWE-322
Key Exchange without Entity Authentication

Vulnerability Timeline

Vulnerability reported to Red Hat
2026-01-30
Fix committed to Keylime repository
2026-02-04
CVE-2026-1709 Published
2026-02-06

References & Sources

  • [1]GHSA-4jqp-9qjv-57m2
  • [2]Red Hat Bugzilla #2435514

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•18 minutes ago•GHSA-387M-935M-C4VW
7.5

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 1 hour ago•GHSA-Q6GH-6V2R-HJV3
8.8

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Amit Schendel
Amit Schendel
2 views•6 min read
•about 1 hour ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
3 views•5 min read
•about 2 hours ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
3 views•8 min read
•about 2 hours ago•GHSA-86VW-X4WW-X467
8.6

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•GHSA-382C-VX95-W3P5
6.5

GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory

An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.

Alon Barad
Alon Barad
4 views•6 min read