2435514 – (CVE-2026-1709) CVE-2026-1709 keylime: Keylime: Authentication bypass allows unauthorized administrative operations due to missing client-side TLS authentication

Bug 2435514 (CVE-2026-1709) - CVE-2026-1709 keylime: Keylime: Authentication bypass allows unauthorized administrative operations due to missing client-side TLS authentication

Summary: CVE-2026-1709 keylime: Keylime: Authentication bypass allows unauthorized adm...

Keywords:
Status:	NEW
Alias:	CVE-2026-1709
Deadline:	2026-02-06
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-30 17:04 UTC by OSIDB Bzimport
Modified:	2026-02-09 02:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:2224	0	None	None	None	2026-02-09 02:43:54 UTC
Red Hat Product Errata	RHSA-2026:2225	0	None	None	None	2026-02-09 01:27:58 UTC

Description OSIDB Bzimport 2026-01-30 17:04:17 UTC

The Keylime registrar since version 7.12.0 does not require client-side TLS authentication because ssl.CERT_REQUIRED is not set when configuring the TLS context. This allows unauthenticated clients to perform administrative operations (list agents, retrieve public TPM data, delete agents) by connecting without presenting a client certificate.
Requirements to exploit:

* Network access to the registrar HTTPS port (default 8891)
* No credentials, certificates, or special tools required
* Standard HTTP client (curl, wget, etc.) is sufficient


Mitigation if available:
1. Network isolation - Restrict network access to registrar port 8891 to only trusted verifier and tenant hosts using firewall rules
2. Reverse proxy with mTLS - Deploy a reverse proxy (nginx, HAProxy) in front of the registrar that enforces client certificate authentication
3. Upgrade - Apply the fix when released (adds ssl.CERT_REQUIRED to enforce client certificate validation)

Comment 3 errata-xmlrpc 2026-02-09 01:27:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:2225 https://access.redhat.com/errata/RHSA-2026:2225

Comment 4 errata-xmlrpc 2026-02-09 02:43:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2224 https://access.redhat.com/errata/RHSA-2026:2224

Note You need to log in before you can comment on or make changes to this bug.