CVE-2026-33583 Overview
CVE-2026-33583 affects the Arqit Symmetric Key Agreement Platform in versions prior to 26.03. The platform exposes the QKEY, used as input to the OTA-Quantum device registration process, along with internal system keys. An unauthenticated HTTP GET request retrieves these keys over an unencrypted channel. The flaw maps to [CWE-749] Exposed Dangerous Method or Function.
Network-based attackers can retrieve cryptographic material without credentials. Exposure of the QKEY undermines the device registration workflow that the platform secures. Recovery of internal system keys compromises the confidentiality and integrity of downstream key agreement operations.
Critical Impact
Unauthenticated attackers can retrieve the QKEY and internal system keys over HTTP, breaking the trust assumptions of the symmetric key agreement process.
Affected Products
- Arqit Symmetric Key Agreement Platform versions before 26.03
- Deployments exposing the affected HTTP endpoint to untrusted networks
- Devices relying on the OTA-Quantum registration flow secured by the platform
Discovery Timeline
- 2026-05-13 - CVE-2026-33583 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33583
Vulnerability Analysis
The Arqit Symmetric Key Agreement Platform exposes a dangerous function through an HTTP GET endpoint. The endpoint requires no authentication and transmits data without TLS. A client issuing a single GET request retrieves the QKEY along with internal system keys.
The QKEY feeds the OTA-Quantum device registration process. Disclosure of this value allows an attacker to impersonate the registration authority or derive material used to register rogue devices. Disclosure of internal system keys further degrades the security guarantees of any symmetric key agreement that depends on them.
The issue is classified under [CWE-749] because a sensitive method that should be restricted to authenticated or internal callers is reachable from the network. The network attack vector, combined with no privilege or user interaction requirement, makes exploitation straightforward where the endpoint is reachable.
Root Cause
The root cause is the presence of an internal key-retrieval method exposed through an HTTP GET handler without authentication, authorization, or transport encryption. The handler treats key material as routinely retrievable data rather than as a privileged operation gated by access control.
Attack Vector
An attacker reaches the platform over the network and issues an HTTP GET request to the vulnerable endpoint. The server returns the QKEY and internal system keys in the response body. The attacker then reuses these values to subvert the OTA-Quantum registration process or to attack systems that derive trust from the disclosed keys. Passive interception of legitimate requests on the unencrypted channel produces the same outcome.
No verified exploit code is published. Refer to the CVCN advisory for CVE-2026-33583 for technical details from the coordinating authority.
Detection Methods for CVE-2026-33583
Indicators of Compromise
- Unexpected HTTP GET requests to Symmetric Key Agreement Platform key-retrieval endpoints originating from untrusted sources
- Plaintext HTTP traffic to the platform on ports that should be restricted to authenticated, encrypted channels
- Device registrations through the OTA-Quantum workflow that do not correlate to authorized provisioning activity
Detection Strategies
- Inspect web server and reverse proxy logs for unauthenticated GET requests against key-distribution paths on the platform
- Alert on any HTTP (non-TLS) traffic destined for the Symmetric Key Agreement Platform management interface
- Correlate new device registrations with provisioning tickets to identify registrations that lack an authorized request
Monitoring Recommendations
- Capture full request and response metadata from the platform front end and forward logs to a centralized analytics system
- Baseline normal client identifiers and source networks contacting the platform, then alert on deviations
- Monitor outbound connections from the platform host for anomalous traffic that may indicate post-exposure abuse
How to Mitigate CVE-2026-33583
Immediate Actions Required
- Upgrade the Arqit Symmetric Key Agreement Platform to version 26.03 or later
- Restrict network access to the platform management and key-distribution interfaces to trusted administrative networks only
- Rotate any QKEY and internal system keys that may have been exposed before the patch was applied
- Audit OTA-Quantum device registrations performed while the vulnerable version was reachable and revoke unauthorized devices
Patch Information
The vendor addresses CVE-2026-33583 in Symmetric Key Agreement Platform version 26.03. Apply the upgrade across all platform instances. Coordination details are available in the CVCN advisory for CVE-2026-33583.
Workarounds
- Place the platform behind a reverse proxy that enforces TLS and client authentication for all requests
- Block the vulnerable HTTP endpoint at the network boundary until the upgrade is applied
- Disable or firewall any non-TLS listener on the platform host to prevent plaintext retrieval of key material
# Example: restrict access to the platform with iptables until patching completes
iptables -A INPUT -p tcp --dport 80 -s <trusted_admin_cidr> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
