← Back to CVEs
CVE-2026-1709
CRITICAL9.4
Description
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
CVE Details
CVSS v3.1 Score9.4
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published2/6/2026
Last Modified3/5/2026
Sourcenvd
Honeypot Sightings0
Affected Products
keylime:keylimeredhat:enterprise_linuxredhat:enterprise_linux_eusredhat:enterprise_linux_for_arm_64redhat:enterprise_linux_for_arm_64_eusredhat:enterprise_linux_for_ibm_z_systemsredhat:enterprise_linux_for_ibm_z_systems_eusredhat:enterprise_linux_for_power_little_endianredhat:enterprise_linux_for_power_little_endian_eus
Weaknesses (CWE)
CWE-322
References
https://access.redhat.com/errata/RHSA-2026:2224(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2026:2225(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2026:2298(secalert@redhat.com)
https://access.redhat.com/security/cve/CVE-2026-1709(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2435514(secalert@redhat.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.