CVE-2026-1709

CVE-2026-1709 is a critical-severity missing authentication for critical function vulnerability in keylime (pip), affecting versions >= 7.12.0, < 7.12.2. It is fixed in 7.12.2, 7.13.1.

Summary

Workarounds

If upgrading is not immediately possible, apply one of the following mitigations:

1. Network isolation (Recommended)

Restrict access to the registrar HTTPS port (default 8891) using firewall rules
to allow only trusted hosts (verifier, tenant):

Example using iptables

iptables -A INPUT -p tcp --dport 8891 -s <verifier_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 8891 -s <tenant_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 8891 -j DROP

2. Reverse proxy with mTLS enforcement

Deploy a reverse proxy (nginx, HAProxy) in front of the registrar that enforces client certificate authentication:

Example nginx configuration

server {
    listen 8891 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client on;  # Enforce client certificates

    location / {
        proxy_pass https://localhost:8892;  # Internal registrar port
    }
}

Impact

The Keylime registrar does not enforce mutual TLS (mTLS) client certificate authentication since version 7.12.0. The registrar's TLS context is configured with ssl.CERT_OPTIONAL instead of ssl.CERT_REQUIRED, allowing any client to connect to protected API endpoints without presenting a valid client certificate.

Who is impacted:

  • All Keylime deployments running versions 7.12.0 through 7.13.0
  • Environments where the registrar HTTPS port (default 8891) is network-accessible to untrusted clients

What an attacker can do:

  • List all registered agents (GET /v2/agents/) - enumerate the entire agent inventory
  • Retrieve agent details (GET /v2/agents/{uuid}) - obtain public TPM keys, certificates, and network locations (IP/port) of any agent
  • Delete any agent (DELETE /v2/agents/{uuid}) - remove agents from the registry, disrupting attestation services

Note: The exposed TPM data (EK, AK, certificates) consists of public keys and certificates. Private keys remain protected within TPM hardware. The HMAC secret used for challenge-response validation is stored in the database but is not exposed via the API.

Affected versions: >= 7.12.0, <= 7.13.0

Fixed versions: 7.12.2, >= 7.13.1

A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.

CVE-2026-1709 has a CVSS score of 9.4 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.12.2, 7.13.1); upgrading removes the vulnerable code path.

Affected versions

keylime (>= 7.12.0, < 7.12.2) keylime (= 7.13.0)

Security releases

keylime → 7.12.2 (pip) keylime → 7.13.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

A patch for the affected released versions is available. It removes the line that override the configuration of ssl.verify_mode, leaving the CERT_REQUIRED value set by web_util.init_mtls():

diff --git a/keylime/web/base/server.py b/keylime/web/base/server.py
index 1d9a9c2..859b23a 100644
--- a/keylime/web/base/server.py
+++ b/keylime/web/base/server.py
@@ -2,7 +2,6 @@ import asyncio
 import multiprocessing
 from abc import ABC, abstractmethod
 from functools import wraps
-from ssl import CERT_OPTIONAL
 from typing import TYPE_CHECKING, Any, Callable, Optional

 import tornado
@@ -252,7 +251,6 @@ class Server(ABC):
         self._https_port = config.getint(component, "tls_port", fallback=0)
         self._max_upload_size = config.getint(component, "max_upload_size", fallback=104857600)
         self._ssl_ctx = web_util.init_mtls(component)
-        self._ssl_ctx.verify_mode = CERT_OPTIONAL

     def _get(self, pattern: str, controller: type["Controller"], action: str, allow_insecure: bool = False) -> None:
         """Creates a new route to handle incoming GET requests issued for paths which match the given

Users should upgrade to the patched version once it is released.

Frequently Asked Questions

  1. What is CVE-2026-1709? CVE-2026-1709 is a critical-severity missing authentication for critical function vulnerability in keylime (pip), affecting versions >= 7.12.0, < 7.12.2. It is fixed in 7.12.2, 7.13.1. A critical operation is accessible without requiring any authentication.
  2. How severe is CVE-2026-1709? CVE-2026-1709 has a CVSS score of 9.4 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of keylime are affected by CVE-2026-1709? keylime (pip) versions >= 7.12.0, < 7.12.2 is affected.
  4. Is there a fix for CVE-2026-1709? Yes. CVE-2026-1709 is fixed in 7.12.2, 7.13.1. Upgrade to this version or later.
  5. Is CVE-2026-1709 exploitable, and should I be worried? Whether CVE-2026-1709 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-1709 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-1709?
    • Upgrade keylime to 7.12.2 or later
    • Upgrade keylime to 7.13.1 or later

Other vulnerabilities in keylime

CVE-2026-6420CVE-2025-13609CVE-2025-1057CVE-2023-38201CVE-2023-38200

Stop the waste.
Protect your environment with Kodem.