ACCORDING to Daily CyberSecurity, a critical vulnerability in Keylime, tracked as CVE-2026-1709, carries a CVSS score of 9.4 and disables mutual TLS (mTLS) authentication in recent versions. Keylime, which uses TPM technology to verify remote systems, relies on a properly configured registrar, but the advisory notes that the Keylime registrar does not enforce mTLS client certificate authentication since version 7.12.0.
The flaw stems from the code setting ssl.CERT_OPTIONAL instead of ssl.CERT_REQUIRED, meaning any client can connect to protected API endpoints without presenting a valid client certificate. All Keylime deployments running versions 7.12.0 through 7.13.0 are vulnerable, which is particularly concerning for environments exposed to untrusted networks.
Mitigations include upgrading to the patched version or applying workarounds such as network isolation with firewall rules on the registrar port (default 8891) or deploying a reverse proxy like NGINX or HAProxy to enforce mTLS checks. The article was published on 10 February 2026.