CVE-2026-33584 Overview
CVE-2026-33584 affects the Arqit Symmetric Key Agreement Platform in versions before 26.03. The platform exposes its Keycloak management service to unauthorized network access. This exposure permits attackers to retrieve sensitive debug information, including application metrics and health data, without authentication.
The weakness maps to [CWE-749] Exposed Dangerous Method or Function. An attacker on the network can query management endpoints that should be restricted to internal operators. The leaked telemetry can support reconnaissance, fingerprinting of internal components, and planning of follow-on attacks against the key agreement service.
Critical Impact
Unauthenticated network attackers can read Keycloak management endpoints to harvest metrics and health data, exposing internal operational details of the Arqit Symmetric Key Agreement Platform.
Affected Products
- Arqit Symmetric Key Agreement Platform versions before 26.03
- Deployments exposing the embedded Keycloak management interface to untrusted networks
- Environments without network-level restrictions on Keycloak administrative ports
Discovery Timeline
- 2026-05-13 - CVE CVE-2026-33584 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33584
Vulnerability Analysis
The Arqit Symmetric Key Agreement Platform bundles Keycloak as its identity and access management component. Keycloak exposes a management interface separate from its primary user-facing endpoints. This interface serves operational data including Prometheus-style metrics, health probes, and runtime information.
In affected releases, the platform binds the management interface to a network-reachable address without enforcing authentication or authorization. An attacker who can reach the service over the network can issue HTTP requests to these endpoints. The server returns telemetry that reveals internal configuration, component versions, request rates, error counts, and component liveness states.
The disclosed data supports reconnaissance against the broader key agreement platform. Attackers can map internal services, identify software versions vulnerable to known issues, and observe operational patterns. The flaw does not by itself grant code execution or write access, but it materially reduces the cost of subsequent intrusion attempts.
Root Cause
The root cause is an insecure default configuration of the embedded Keycloak management service. Sensitive management endpoints are reachable over the network without credentials, violating the principle of least exposure for administrative interfaces [CWE-749].
Attack Vector
Exploitation occurs over the network and requires no privileges or user interaction. An attacker sends HTTP GET requests to the exposed Keycloak management endpoints, such as /metrics and /health, and parses the returned data. The Italian National Cybersecurity Agency advisory for this issue is available at CVCN CVE-2026-33584 Details.
// No verified proof-of-concept code is published for this issue.
// The vulnerability is exercised through unauthenticated HTTP requests
// to Keycloak management endpoints exposed by the affected platform.
Detection Methods for CVE-2026-33584
Indicators of Compromise
- Unauthenticated HTTP requests to Keycloak management paths such as /metrics, /health, /health/live, and /health/ready from external or untrusted source addresses
- Repeated scraping of management endpoints at consistent intervals indicating automated reconnaissance
- Access patterns to Keycloak management ports from IP ranges outside the documented operations network
Detection Strategies
- Inspect web server and reverse proxy logs for requests targeting Keycloak management URIs originating from non-administrative networks
- Compare network flow data against an allowlist of authorized management clients and alert on deviations
- Run external surface scans against platform hosts to confirm whether management ports respond to unauthenticated requests
Monitoring Recommendations
- Forward Keycloak access logs and reverse proxy logs to a centralized analytics platform for long-term retention and correlation
- Alert on any HTTP 200 response from management endpoints to source addresses outside the operations subnet
- Track baseline request volumes to management endpoints and flag sudden increases that suggest enumeration
How to Mitigate CVE-2026-33584
Immediate Actions Required
- Upgrade the Arqit Symmetric Key Agreement Platform to version 26.03 or later, which addresses the exposure
- Restrict network access to Keycloak management ports using host firewalls, security groups, or network policies
- Audit reverse proxy and ingress rules to confirm that management paths are not published to untrusted networks
Patch Information
Arqit addresses this issue in Symmetric Key Agreement Platform version 26.03. Operators should plan an upgrade following vendor guidance. Refer to the CVCN CVE-2026-33584 Details advisory for additional remediation context.
Workarounds
- Bind the Keycloak management interface to a loopback or internal-only address until upgrade is possible
- Place an authenticating reverse proxy in front of management endpoints to require credentials for /metrics and /health access
- Apply network segmentation so that only designated monitoring hosts can reach Keycloak management ports
# Example: restrict Keycloak management port with iptables to a monitoring subnet
iptables -A INPUT -p tcp --dport 9000 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
