Skip to main content

Arqit SymKey Platform CVE-2026-33584

| EUVDEUVD-2026-30114 MEDIUM
Exposed Dangerous Method or Function (CWE-749)
2026-05-13 ENISA GHSA-7rhj-w7pg-37v4
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:50 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD

DescriptionCVE.org

Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26.03.

AnalysisAI

Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows remote attackers to read sensitive operational data including application metrics and health status without any credentials. All versions of the platform prior to 26.03 are affected. The CVSS vector (PR:N/AC:L) confirms no authentication is required and exploitation is straightforward; however, EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' indicate no public exploit or active targeting observed at time of analysis.

Technical ContextAI

The Arqit Symmetric Key Agreement Platform (CPE: cpe:2.3:a:arqit:symmetric_key_agreement_platform:*:*:*:*:*:*:*:*) uses Keycloak as its identity and access management component. Keycloak exposes a management interface - typically including actuator-style endpoints for health checks and Prometheus-compatible metrics - that in this deployment was left network-accessible without authentication controls. CWE-749 (Exposed Dangerous Method or Function) precisely describes the root cause: a privileged management interface intended for internal operational use was made reachable to unauthenticated network actors. The tag 'Authentication Bypass' reflects the absence of access controls on this management plane, rather than a bypass of existing controls. Debug and metrics data from such endpoints can reveal internal service topology, JVM/runtime state, active session counts, and infrastructure health signals useful for reconnaissance.

RemediationAI

The primary fix is upgrading to Arqit Symmetric Key Agreement Platform version 26.03 or later, where the Keycloak management service exposure is addressed. Patch is confirmed available per vendor per EUVD-2026-30114; the exact release is version 26.03. For deployments that cannot immediately upgrade, compensating controls include: restricting network access to the Keycloak management port (typically 9990 or 8080/management context) via firewall or network policy to only trusted internal IPs or management networks - note this may impact monitoring tooling that relies on scraping those endpoints. Alternatively, configure Keycloak's management interface to require authentication via its built-in management security realm, though this configuration may differ by Keycloak version and should be validated against the platform's supported configuration. Advisory references: https://nvd.nist.gov/vuln/detail/CVE-2026-33584.

Share

CVE-2026-33584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy