Severity by source
AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session.
This issue affects Symmetric Key Agreement Platform: before 26.03.
AnalysisAI
Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.
Technical ContextAI
The affected product is Arqit's Symmetric Key Agreement Platform (CPE: cpe:2.3:a:arqit:symmetric_key_agreement_platform:*:*:*:*:*:*:*:*), a quantum-safe key distribution service that uses Keycloak as its identity and access management layer. Keycloak supports configurable session idle timeout policies; CWE-233 (Improper Handling of Parameters) identifies the root cause as failure to correctly apply or propagate the idle timeout parameter - meaning the Keycloak session outlives the configured inactivity window. This is a configuration/parameter-lifecycle flaw rather than a cryptographic or protocol weakness, despite the platform's cryptographic focus. The impact is a stale but valid session token that remains exploitable after the user believes the session should have lapsed.
RemediationAI
Upgrade Arqit SKA-Platform to version 26.03 or later, which is confirmed as the vendor-released patch per the advisory. Where immediate upgrade is not possible, compensating controls should be applied at the Keycloak configuration level: manually enforce a shorter session idle timeout and maximum session lifetime in the Keycloak realm settings (Realm Settings → Tokens), reducing the window during which an abandoned session remains exploitable. Note that changes to global Keycloak realm token settings will affect all tenants and may interrupt legitimately active long-running sessions, so coordination with tenant users is advised. Additionally, organizations operating SKA-Platform on shared or semi-public workstations should enforce OS-level screen lock policies triggered on short inactivity intervals as a defense-in-depth measure. Refer to the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-33585 and ENISA EUVD-2026-30115 for further vendor guidance.
Sensitive key material disclosure in Arqit Symmetric Key Agreement Platform versions before 26.03 allows remote unauthen
Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows re
Same weakness CWE-233 – Improper Handling of Parameters
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30115
GHSA-3878-8q4v-56w7