CVE-2026-33583

The Arqit Symmetric Key Agreement Platform (SKA-Platform) exposes a REST API that permits retrieval of cryptographic keys via an unauthenticated and unencrypted HTTP GET method [1]. This vulnerability affects versions 25.09.x and 25.12. The exposed QKEY is used as an input into the 'OTA-Quantum' device registration process, and internal system keys are also accessible from the platform database [1].

An attacker with network access to the SKA-Platform can exploit this by sending a crafted HTTP GET request to the vulnerable endpoint. No authentication or encryption is required, and the attack complexity is high (AC:H) according to the CVSS vector [1]. The attacker must be on the same network segment to reach the service, but once accessed, keys are retrieved in plaintext.

Successful exploitation allows the attacker to obtain the QKEY and internal system keys, which can be used to the complete compromise of the device registration process and internal cryptographic operations. The CVSS v3.1 base score is 8.7 (HIGH) with impacts on confidentiality and integrity (C:H/I:H) [1]. The fixed version is 26.03 [1]. Arqit has released a patch, and users should upgrade immediately.