CVE-2026-33584
Description
Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26.03.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated exposure of Keycloak metrics interface in Arqit Symmetric Key Agreement Platform before 26.03 leaks sensitive debug information.
Vulnerability
The Arqit Symmetric Key Agreement Platform (SKA-Platform) exposes a Keycloak management service that allows retrieving metrics and health data via unauthenticated and unencrypted HTTP GET requests [1]. This configuration, specifically warned against by the Keycloak developer, leads to unauthorized access to sensitive debug information. Affected versions are 25.09.x and 25.12 [1].
Exploitation
An attacker with network access can send an unauthenticated HTTP GET request to the unprotected Keycloak metrics endpoint [1]. No encryption, authentication, or user interaction is required beyond network connectivity.
Impact
Successful exploitation results in disclosure of sensitive debug information, including metrics and health data, leading to low confidentiality impact [1]. No other CIA impacts are stated.
Mitigation
The issue is fixed in version 26.03 of the Symmetric Key Agreement Platform [1]. Upgrading to this version or later resolves the vulnerability. No workarounds are documented in the available reference.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.