Trust Broken: Critical Keylime Flaw (CVSS 9.4) Disables mTLS Authentication

A critical-severity vulnerability has been discovered in Keylime, the open-source tool used by cloud tenants to verify the integrity of their remote systems. Tracked as CVE-2026-1709, the flaw carries a CVSS score of 9.4, warning that a core security feature—mutual TLS (mTLS) authentication—has been effectively disabled in recent versions.

Keylime is designed to be the bedrock of trust for remote machines, using TPM (Trusted Platform Module) technology to ensure that a system hasn’t been tampered with. However, this vulnerability undermines that very foundation by allowing unauthorized users to connect to the registrar service without a valid certificate.

The vulnerability stems from a configuration error in the Keylime registrar, the component responsible for registering and tracking agents.

According to the advisory, “The Keylime registrar does not enforce mutual TLS (mTLS) client certificate authentication since version 7.12.0”.

Instead of strictly requiring a valid client certificate (ssl.CERT_REQUIRED), the code was inadvertently set to ssl.CERT_OPTIONAL. This “optional” setting means that while the server asks for a certificate, it doesn’t insist on one. As a result, “any client to connect to protected API endpoints without presenting a valid client certificate” can gain access.

The flaw affects a specific window of releases. “All Keylime deployments running versions 7.12.0 through 7.13.0” are vulnerable.

This is particularly concerning for environments where Keylime is exposed to untrusted networks, as the registrar is often the gatekeeper for sensitive attestation data.

The maintainers are urging users to upgrade to the patched version as soon possible.

For those who cannot upgrade immediately, the advisory recommends two main workarounds to stop the bleeding:

• Network Isolation (Recommended): Use firewall rules (like iptables) to restrict access to the registrar’s port (default 8891). Only trusted IP addresses—such as the verifier and tenant—should be allowed to connect.
• Reverse Proxy: Deploy a proxy like NGINX or HAProxy in front of the registrar to enforce the mTLS checks that the application is missing.

Related Posts:

• Heads Up, Domain Owners: Price Hikes for Over 200 Extensions Start October 6
• Domain Takeover: 35,000+ Victims of Sitting Ducks Attack
• Let’s Encrypt Root gains the trust of all major root programs
• APT organization steals D-Link company digital certificate to sign its malware