DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1709: Keylime Pie with a Side of Open Access: The CVE-2026-1709 Deep Dive

#security #cve #cybersecurity

Keylime Pie with a Side of Open Access: The CVE-2026-1709 Deep Dive

Vulnerability ID: CVE-2026-1709
CVSS Score: 9.4
Published: 2026-02-06

A critical authentication bypass in Keylime, a CNCF project designed for remote boot attestation using TPMs. ironically, the component responsible for verifying trust (the Registrar) was configured to treat client certificates as 'optional' due to a logic error in the TLS initialization code. This allows unauthenticated attackers to wipe agent data, retrieve TPM metadata, and effectively blind the attestation service.

TL;DR

The Keylime Registrar, which manages TPM identities, had its mTLS verification set to 'Optional' instead of 'Required'. This allows any unauthenticated attacker with network access to query or delete agent records, effectively bypassing the entire security model of the registrar component. Fixed in versions 7.12.2 and 7.13.1.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-322 (Key Exchange without Entity Authentication)
  • CVSS Score: 9.4 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • Impact: High (Confidentiality, Integrity, Availability)

Affected Systems

  • Keylime Registrar 7.12.0
  • Keylime Registrar 7.13.0
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10
  • Keylime: >= 7.12.0, <= 7.13.0 (Fixed in: 7.13.1)
  • Red Hat Enterprise Linux: 9 (Fixed in: Determined by package manager)

Code Analysis

Commit: a37fe13

Removed verify_mode=CERT_OPTIONAL override in server.py

--- a/keylime/web/base/server.py
+++ b/keylime/web/base/server.py
@@ -252,7 +251,6 @@ def _use_config(self, component: str) -> None:
         self._ssl_ctx = web_util.init_mtls(component)
-        self._ssl_ctx.verify_mode = CERT_OPTIONAL
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Keylime to version 7.12.2 or 7.13.1 immediately.
  • Implement network ACLs to restrict access to port 8891.
  • Deploy a reverse proxy (Nginx/HAProxy) to enforce strict mTLS before traffic reaches the application.

Remediation Steps:

  1. Identify the version of Keylime installed (keylime_registrar --version).
  2. If version is between 7.12.0 and 7.13.0, schedule immediate downtime.
  3. Apply the vendor patch or upgrade packages via dnf update keylime (on RHEL/Fedora).
  4. Verify the fix by attempting to curl the /agents/ endpoint without a certificate; it should now fail the handshake.

References

Read the full report for CVE-2026-1709 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)