CVE-2026-33583

Arqit · Symmetric Key Agreement Platform

The Arqit Symmetric Key Agreement Platform is vulnerable to an unauthenticated, unencrypted HTTP GET request, leading to the exposure of QKEY and internal system keys.

Executive summary

An unauthenticated information disclosure vulnerability in the Arqit Symmetric Key Agreement Platform exposes critical system and quantum keys.

Vulnerability

This is an exposure of sensitive keys via an unauthenticated and unencrypted HTTP GET method (CWE-749). The attacker requires no authentication to access these keys, which are used in the 'OTA-Quantum' device registration process.

Business impact

Successful exploitation results in the total compromise of confidentiality for QKEYs and internal system keys (CVSS 8.7). This could lead to a total breakdown of the platform's security architecture, allowing attackers to intercept or forge encrypted communications, leading to severe reputational and operational damage.

Remediation

Immediate Action: Update the Arqit Symmetric Key Agreement Platform to version 26.03 or higher immediately.

Proactive Monitoring: Review access logs for unauthorized HTTP GET requests directed at the device registration or key exchange endpoints.

Compensating Controls: Restrict network access to the platform endpoints using IP allowlisting and ensure all traffic is forced over encrypted channels (TLS).

Exploitation status

Public Exploit Available: false

Analyst recommendation

This is a critical security failure. Administrators must treat this as a high-priority incident and apply the vendor-provided updates immediately, as the exposure of root-level keys compromises the entire integrity of the affected platform.