Description
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- none
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- high
- Availability
- high
- Weaknesses
- CWE-322NVD-CWE-noinfo
Metadata
- Primary Vendor
- KEYLIME
- Published
- 2/6/2026
- Last Modified
- 3/5/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
keylime : keylimeredhat : enterprise_linuxredhat : enterprise_linuxredhat : enterprise_linux_eusredhat : enterprise_linux_for_arm_64redhat : enterprise_linux_for_arm_64redhat : enterprise_linux_for_arm_64_eusredhat : enterprise_linux_for_ibm_z_systemsredhat : enterprise_linux_for_ibm_z_systemsredhat : enterprise_linux_for_ibm_z_systems_eusredhat : enterprise_linux_for_power_little_endianredhat : enterprise_linux_for_power_little_endianredhat : enterprise_linux_for_power_little_endian_eus
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.