CVE-2026-1709 – Keylime versions 7.12.0 and later have a critic... (How to Fix)

Q: What is the severity of CVE-2026-1709?

CVE-2026-1709 has a CVSS score of 9.4 (CRITICAL). Keylime versions 7.12.0 and later have a critical authentication bypass vulnerability where the registrar fails to enforce client-side TLS certificate authentication. This allows unauthenticated network attackers to perform administrative operations like listing agents, retrieving TPM data, and deleting agents. Any organization using Keylime for remote attestation with the vulnerable versions is affected.

📋 TL;DR

Keylime versions 7.12.0 and later have a critical authentication bypass vulnerability where the registrar fails to enforce client-side TLS certificate authentication. This allows unauthenticated network attackers to perform administrative operations like listing agents, retrieving TPM data, and deleting agents. Any organization using Keylime for remote attestation with the vulnerable versions is affected.

💻 Affected Systems

Products:

Keylime

Versions: 7.12.0 and later

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Keylime registrar component; agents and verifier are not directly vulnerable. Requires network access to registrar service (typically port 8890).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all registered agents, disrupt the entire remote attestation infrastructure, and potentially compromise TPM-based security chains by retrieving sensitive public TPM data.

🟠

Likely Case

Unauthenticated attackers on the same network could enumerate agents, retrieve TPM public keys, and selectively delete agents to disrupt specific services or bypass attestation controls.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to authorized internal users who could still exploit the vulnerability if they gain network access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access and basic HTTP/TLS client tools. No authentication or special privileges needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.13.0 or later

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2026-1709

Restart Required: Yes

Instructions:

1. Update Keylime to version 7.13.0 or later. 2. Restart the registrar service. 3. Verify TLS client authentication is enforced.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Keylime registrar service to trusted hosts only

iptables -A INPUT -p tcp --dport 8890 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8890 -j DROP

TLS Client Certificate Enforcement

linux

Manually configure registrar to require client certificates

Edit /etc/keylime/registrar.conf: set require_client_cert = True
systemctl restart keylime_registrar

🧯 If You Can't Patch

Implement strict network access controls to limit registrar access to authorized management hosts only
Monitor registrar logs for unauthorized access attempts and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Keylime version: keylime_verifier --version. If version is 7.12.0 or higher, test if registrar accepts connections without client certificates using curl or openssl s_client.

Check Version:

keylime_verifier --version

Verify Fix Applied:

After patching, attempt to connect to registrar without client certificate - connection should be rejected. Verify version is 7.13.0 or later.

📡 Detection & Monitoring

Log Indicators:

Registrar accepting connections without client certificates
Unauthorized administrative operations from unexpected IPs
Multiple agent deletion or listing requests

Network Indicators:

TCP connections to port 8890 from unauthorized sources
HTTP requests to registrar endpoints without TLS client auth

SIEM Query:

source="keylime_registrar.log" AND ("client certificate" NOT "present" OR "authentication failed")

📊 Metadata

CVE ID: CVE-2026-1709

CVSS v3 Score: 9.4 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE: CWE-322

EPSS Score: 0.07% exploit probability (20.7th percentile)

Published: February 6, 2026

Last Updated: March 5, 2026

🔗 References

https://access.redhat.com/errata/RHSA-2026:2224 Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:2225 Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:2298 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2026-1709 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2435514 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1709, you might also want to check these: