CVE-2026-33583
Arqit · Symmetric Key Agreement Platform
The Arqit Symmetric Key Agreement Platform is vulnerable to an unauthenticated, unencrypted HTTP GET request, leading to the exposure of QKEY and internal system keys.
Executive summary
An unauthenticated information disclosure vulnerability in the Arqit Symmetric Key Agreement Platform exposes critical system and quantum keys.
Vulnerability
This is an exposure of sensitive keys via an unauthenticated and unencrypted HTTP GET method (CWE-749). The attacker requires no authentication to access these keys, which are used in the 'OTA-Quantum' device registration process.
Business impact
Successful exploitation results in the total compromise of confidentiality for QKEYs and internal system keys (CVSS 8.7). This could lead to a total breakdown of the platform's security architecture, allowing attackers to intercept or forge encrypted communications, leading to severe reputational and operational damage.
Remediation
Immediate Action: Update the Arqit Symmetric Key Agreement Platform to version 26.03 or higher immediately.
Proactive Monitoring: Review access logs for unauthorized HTTP GET requests directed at the device registration or key exchange endpoints.
Compensating Controls: Restrict network access to the platform endpoints using IP allowlisting and ensure all traffic is forced over encrypted channels (TLS).
Exploitation status
Public Exploit Available: false
Analyst recommendation
This is a critical security failure. Administrators must treat this as a high-priority incident and apply the vendor-provided updates immediately, as the exposure of root-level keys compromises the entire integrity of the affected platform.