Cyber Resilience

CVE-2026-1709

CriticalUpdated

Published: 06 February 2026

Published
06 February 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0580 92.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1709 is a critical-severity Key Exchange without Entity Authentication (CWE-322) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-1709 is an authentication bypass vulnerability in the Keylime registrar component, affecting versions since 7.12.0. The flaw arises because the registrar fails to enforce client-side Transport Layer Security (TLS) authentication, allowing clients to connect without presenting a required client certificate. This issue, associated with CWE-322, has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating critical severity due to high impacts on integrity and availability.

Any unauthenticated attacker with network access to the Keylime registrar can exploit this vulnerability to perform administrative operations. Successful exploitation enables listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, potentially disrupting Keylime's agent management and attestation functions without requiring privileges or user interaction.

Red Hat has issued multiple security advisories addressing this vulnerability, including RHSA-2026:2224, RHSA-2026:2225, and RHSA-2026:2298, along with detailed information on their CVE page and Bugzilla entry (ID 2435514). These resources provide guidance on applying patches to mitigate the authentication bypass.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public…

more

Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass in network-accessible registrar directly enables remote exploitation of public-facing service for unauthorized admin actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28368Same product: Redhat Enterprise Linux
CVE-2026-28369Same product: Redhat Enterprise Linux
CVE-2026-28367Same vendor: Redhat
CVE-2025-12543Same vendor: Redhat
CVE-2026-32590Same vendor: Redhat
CVE-2025-14087Same product: Redhat Enterprise Linux
CVE-2025-32988Same product: Redhat Enterprise Linux
CVE-2026-4480Same product: Redhat Enterprise Linux
CVE-2026-33845Same product: Redhat Enterprise Linux
CVE-2026-5121Same product: Redhat Enterprise Linux

Affected Assets

redhat
enterprise linux
10.0, 9.0
redhat
enterprise linux eus
10.0
redhat
enterprise linux for arm 64
10.0_aarch64, 9.0_aarch64
redhat
enterprise linux for arm 64 eus
10.0_aarch64
redhat
enterprise linux for ibm z systems
10.0_s390x, 9.0_s390x
redhat
enterprise linux for ibm z systems eus
10.0_s390x
redhat
enterprise linux for power little endian
10.0_ppc64le, 9.0_ppc64le
redhat
enterprise linux for power little endian eus
10.0_ppc64le
keylime
keylime
≤ 7.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and use of public key infrastructure certificates for remote authentication, directly mitigating the failure to enforce client-side TLS client certificates on the Keylime registrar.

prevent

Mandates unique identification and authentication of devices before establishing remote connections, preventing unauthenticated clients from accessing the registrar's administrative functions.

prevent

Establishes approval, authorization, and protection requirements for remote access, ensuring only authenticated connections can perform operations like agent management on the registrar.

References