Bug 2435514 (CVE-2026-1709) - CVE-2026-1709 keylime: Keylime: Authentication bypass allows unauthorized administrative operations due to missing client-side TLS authentication
Summary: CVE-2026-1709 keylime: Keylime: Authentication bypass allows unauthorized adm...
Keywords:
Status: NEW
Alias: CVE-2026-1709
Deadline: 2026-02-06
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-30 17:04 UTC by OSIDB Bzimport
Modified: 2026-03-07 00:18 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:2224 0 None None None 2026-02-09 02:43:54 UTC
Red Hat Product Errata RHSA-2026:2225 0 None None None 2026-02-09 01:27:58 UTC
Red Hat Product Errata RHSA-2026:2298 0 None None None 2026-02-09 09:40:21 UTC

Description OSIDB Bzimport 2026-01-30 17:04:17 UTC 
The Keylime registrar since version 7.12.0 does not require client-side TLS authentication because ssl.CERT_REQUIRED is not set when configuring the TLS context. This allows unauthenticated clients to perform administrative operations (list agents, retrieve public TPM data, delete agents) by connecting without presenting a client certificate.
Requirements to exploit:

* Network access to the registrar HTTPS port (default 8891)
* No credentials, certificates, or special tools required
* Standard HTTP client (curl, wget, etc.) is sufficient


Mitigation if available:
1. Network isolation - Restrict network access to registrar port 8891 to only trusted verifier and tenant hosts using firewall rules
2. Reverse proxy with mTLS - Deploy a reverse proxy (nginx, HAProxy) in front of the registrar that enforces client certificate authentication
3. Upgrade - Apply the fix when released (adds ssl.CERT_REQUIRED to enforce client certificate validation)
Comment 3 errata-xmlrpc 2026-02-09 01:27:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:2225 https://access.redhat.com/errata/RHSA-2026:2225
Comment 4 errata-xmlrpc 2026-02-09 02:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2224 https://access.redhat.com/errata/RHSA-2026:2224
Comment 5 errata-xmlrpc 2026-02-09 09:40:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2298 https://access.redhat.com/errata/RHSA-2026:2298
Comment 6 Fedora Update System 2026-03-04 00:55:34 UTC 
FEDORA-2026-e5027335a3 (keylime-7.14.1-1.fc43 and keylime-agent-rust-0.2.9-1.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 7 Fedora Update System 2026-03-04 01:25:15 UTC 
FEDORA-2026-c2b5451b35 (keylime-7.14.1-1.fc42 and keylime-agent-rust-0.2.9-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2026-03-07 00:18:51 UTC 
FEDORA-2026-2b8b223cf0 (keylime-7.14.1-1.fc44 and keylime-agent-rust-0.2.9-1.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.