Skip to main content

Arqit SKA-Platform CVE-2026-33585

| EUVDEUVD-2026-30115 LOW
Improper Handling of Parameters (CWE-233)
2026-05-13 ENISA GHSA-3878-8q4v-56w7
3.8
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.8 LOW
AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:51 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD

DescriptionCVE.org

Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session.

This issue affects Symmetric Key Agreement Platform: before 26.03.

AnalysisAI

Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.

Technical ContextAI

The affected product is Arqit's Symmetric Key Agreement Platform (CPE: cpe:2.3:a:arqit:symmetric_key_agreement_platform:*:*:*:*:*:*:*:*), a quantum-safe key distribution service that uses Keycloak as its identity and access management layer. Keycloak supports configurable session idle timeout policies; CWE-233 (Improper Handling of Parameters) identifies the root cause as failure to correctly apply or propagate the idle timeout parameter - meaning the Keycloak session outlives the configured inactivity window. This is a configuration/parameter-lifecycle flaw rather than a cryptographic or protocol weakness, despite the platform's cryptographic focus. The impact is a stale but valid session token that remains exploitable after the user believes the session should have lapsed.

RemediationAI

Upgrade Arqit SKA-Platform to version 26.03 or later, which is confirmed as the vendor-released patch per the advisory. Where immediate upgrade is not possible, compensating controls should be applied at the Keycloak configuration level: manually enforce a shorter session idle timeout and maximum session lifetime in the Keycloak realm settings (Realm Settings → Tokens), reducing the window during which an abandoned session remains exploitable. Note that changes to global Keycloak realm token settings will affect all tenants and may interrupt legitimately active long-running sessions, so coordination with tenant users is advised. Additionally, organizations operating SKA-Platform on shared or semi-public workstations should enforce OS-level screen lock policies triggered on short inactivity intervals as a defense-in-depth measure. Refer to the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-33585 and ENISA EUVD-2026-30115 for further vendor guidance.

Share

CVE-2026-33585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy