This vulnerability (CVE-2026-33584) affects the Arqit Symmetric Key Agreement Platform before version 26.03. It is classified under CWE-749, indicating exposure of dangerous methods or functions. Specifically, the Keycloak management service is exposed, enabling unauthorized parties to access sensitive debug information such as metrics and health data. The CVSS 3.1 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, and confidentiality impact only. No integrity or availability impacts are noted. The vendor has not provided an official fix or remediation level, and no patch links are available. The product is not a cloud service, so remediation depends on vendor updates or configuration changes by users.

The impact is limited to unauthorized disclosure of sensitive debug information, which may aid an attacker in reconnaissance but does not directly compromise system integrity or availability. Confidentiality is impacted at a low level, with no known exploitation in the wild. The exposure of metrics and health data could potentially reveal operational details that might assist in further attacks, but no direct control or data modification is possible through this vulnerability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor Arqit's advisories for updates. In the meantime, restricting access to the Keycloak management service through network controls or configuration changes to limit exposure of debug endpoints is recommended to reduce risk.