CVE-2026-1709

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Keylime versions 7.12.0 and later

Description A flaw exists in Keylime where the registrar does not enforce client-side Transport Layer Security (TLS) authentication. This allows unauthenticated clients with network access to perform administrative operations. These operations include listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents by connecting without presenting a client certificate.

Recommendations Versions 7.12.0 and later require client-side TLS authentication to be enforced to prevent unauthorized administrative operations.

Fix

Improper Certificate Validation

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-306CWE-322

Related Identifiers

ALSA-2026:2224

ALSA-2026:2225

CVE-2026-1709

GHSA-27JC-JMP8-QFW5

GHSA-4JQP-9QJV-57M2

OPENSUSE-SU-2026:10165-1

OPENSUSE-SU-2026:20398-1

PYSEC-2026-74

RHSA-2026:2224

RHSA-2026:2225

RHSA-2026:2298

SUSE-SU-2026:20912-1

Affected Products

Keylime

Rocky Linux

CVE-2026-1709

Weakness Enumeration

Related Identifiers

Affected Products

References · 40