Skip to main content

Symmetric Key Agreement Platform

3 CVEs product

Monthly

CVE-2026-33585 LOW PATCH Monitor

Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.

Information Disclosure Symmetric Key Agreement Platform
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-33584 MEDIUM PATCH This Month

Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows remote attackers to read sensitive operational data including application metrics and health status without any credentials. All versions of the platform prior to 26.03 are affected. The CVSS vector (PR:N/AC:L) confirms no authentication is required and exploitation is straightforward; however, EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' indicate no public exploit or active targeting observed at time of analysis.

Authentication Bypass Symmetric Key Agreement Platform
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33583 HIGH PATCH This Week

Sensitive key material disclosure in Arqit Symmetric Key Agreement Platform versions before 26.03 allows remote unauthenticated attackers to retrieve the QKEY (a critical input to the OTA-Quantum device registration process) along with internal system keys via a plain HTTP GET request. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%), but the high CVSS of 8.7 with scope-change reflects the severe downstream cryptographic compromise possible once these keys leak. A vendor patch is available in version 26.03.

Information Disclosure Symmetric Key Agreement Platform
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
EPSS 0% CVSS 3.8
LOW PATCH Monitor

Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.

Information Disclosure Symmetric Key Agreement Platform
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows remote attackers to read sensitive operational data including application metrics and health status without any credentials. All versions of the platform prior to 26.03 are affected. The CVSS vector (PR:N/AC:L) confirms no authentication is required and exploitation is straightforward; however, EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' indicate no public exploit or active targeting observed at time of analysis.

Authentication Bypass Symmetric Key Agreement Platform
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Sensitive key material disclosure in Arqit Symmetric Key Agreement Platform versions before 26.03 allows remote unauthenticated attackers to retrieve the QKEY (a critical input to the OTA-Quantum device registration process) along with internal system keys via a plain HTTP GET request. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%), but the high CVSS of 8.7 with scope-change reflects the severe downstream cryptographic compromise possible once these keys leak. A vendor patch is available in version 26.03.

Information Disclosure Symmetric Key Agreement Platform
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy