CVE-2026-33583 PUBLISHED

Arqit SKA-Platform Vulnerable to Key Exposure

Assigner: ENISA
Reserved: 23.03.2026 Published: 13.05.2026 Updated: 13.05.2026

Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.

This issue affects Symmetric Key Agreement Platform: before 26.03.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 8.7

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Arqit
Product	Symmetric Key Agreement Platform
Versions	Default: unaffected affected from 0 to 26.03 (excl.)

References

https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33583

Problem Types

CWE-749 Exposed dangerous method or function CWE