CVE-2026-1709
Published: 06 February 2026
Summary
CVE-2026-1709 is a critical-severity Key Exchange without Entity Authentication (CWE-322) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and use of public key infrastructure certificates for remote authentication, directly mitigating the failure to enforce client-side TLS client certificates on the Keylime registrar.
Mandates unique identification and authentication of devices before establishing remote connections, preventing unauthenticated clients from accessing the registrar's administrative functions.
Establishes approval, authorization, and protection requirements for remote access, ensuring only authenticated connections can perform operations like agent management on the registrar.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in network-accessible registrar directly enables remote exploitation of public-facing service for unauthorized admin actions.
NVD Description
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public…
more
Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
Deeper analysisAI
CVE-2026-1709 is an authentication bypass vulnerability in the Keylime registrar component, affecting versions since 7.12.0. The flaw arises because the registrar fails to enforce client-side Transport Layer Security (TLS) authentication, allowing clients to connect without presenting a required client certificate. This issue, associated with CWE-322, has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating critical severity due to high impacts on integrity and availability.
Any unauthenticated attacker with network access to the Keylime registrar can exploit this vulnerability to perform administrative operations. Successful exploitation enables listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, potentially disrupting Keylime's agent management and attestation functions without requiring privileges or user interaction.
Red Hat has issued multiple security advisories addressing this vulnerability, including RHSA-2026:2224, RHSA-2026:2225, and RHSA-2026:2298, along with detailed information on their CVE page and Bugzilla entry (ID 2435514). These resources provide guidance on applying patches to mitigate the authentication bypass.
Details
- CWE(s)