Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication
Description
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Keylime Registrar 7.12.0+ bypasses client-side TLS authentication, allowing unauthenticated network access to administrative operations.
Vulnerability
Overview
A flaw exists in the Keylime Registrar component, introduced in version 7.12.0, where client-side Transport Layer Security (TLS) authentication is not enforced. This authentication bypass vulnerability allows an unauthenticated client with network access to perform administrative operations, such as listing agents, retrieving public TPM data, and deleting agents, without presenting a valid client certificate [1][2].
Attack
Vector and Prerequisites
The attacker must have network connectivity to the Keylime Registrar service. No prior authentication or pre-existing trust relationship is required. The vulnerability stems from the registrar's failure to verify TLS client certificates during connection establishment, effectively disabling mutual TLS (mTLS) for the registrar's API endpoints [2][4].
Impact
A successful attacker can execute privileged operations including enumerating registered agents, extracting public TPM blobs, and removing agent entries from the registrar’s database. This compromises the trust model of the entire Keylime deployment, as the registrar acts as the central database for agent identities and TPM public keys [3][4].
Mitigation
Status
The vulnerability is classified as urgent severity by Red Hat and affects all Keylime deployments using the Registrar from version 7.12.0 onward. At the time of publication, a fix had not been released, and users are advised to restrict network access to the registrar as a workaround until a patched version is available [1][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keylimePyPI | >= 7.12.0, < 7.12.2 | 7.12.2 |
keylimePyPI | >= 7.13.0, < 7.13.1 | 7.13.1 |
Affected products
4- Red Hat/Red Hat Enterprise Linux 9v5cpe:/a:redhat:enterprise_linux:9::appstreamRange: 0:7.12.1-11.el9_7.4
- Red Hat/Red Hat Enterprise Linux 10v5cpe:/o:redhat:enterprise_linux:10.1Range: 0:7.12.1-11.el10_1.4
- Red Hat/Red Hat Enterprise Linux 10.0 Extended Update Supportv5cpe:/o:redhat:enterprise_linux_eus:10.0Range: 0:7.12.1-2.el10_0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- access.redhat.com/errata/RHSA-2026:2224mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:2225mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:2298mitrevendor-advisoryx_refsource_REDHAT
- github.com/advisories/GHSA-4jqp-9qjv-57m2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1709ghsaADVISORY
- access.redhat.com/security/cve/CVE-2026-1709ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keylime/keylime/security/advisories/GHSA-4jqp-9qjv-57m2ghsaWEB
News mentions
0No linked articles in our index yet.