Arqit Symmetric Key Agreement Platform Exposes Critical Keys via HTTP GET

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-749
Arqit Symmetric Key Agreement Platform Exposes Critical Keys via HTTP GET

The National Vulnerability Database has disclosed CVE-2026-33583, a high-severity vulnerability impacting the Arqit Symmetric Key Agreement Platform versions prior to 26.03. This flaw exposes the QKEY, used in the ‘OTA-Quantum’ device registration process, and internal system keys.

The critical issue stems from an unauthenticated and unencrypted HTTP GET method. This means an attacker can simply make a web request and retrieve sensitive cryptographic material without any prior authentication or encryption, effectively nullifying the security posture of systems relying on these keys. The CVSS score of 8.7 (HIGH) reflects the profound impact on confidentiality and integrity, with network access and high impact on both.

For defenders, this is a clear-cut case of foundational cryptographic elements being undermined by insecure transport. Attackers are always looking for the easiest path to compromise, and leaking keys via unencrypted HTTP is an open invitation. This vulnerability allows for direct key exfiltration, which can lead to widespread compromise of devices registered with the platform and potentially allow for impersonation or decryption of communications.

What This Means For You

  • If your organization utilizes the Arqit Symmetric Key Agreement Platform, you must immediately verify your version. Prioritize patching to version 26.03 or newer to mitigate CVE-2026-33583. Furthermore, assume any QKEYs or internal system keys used with affected versions have been compromised and initiate a key rotation process across all impacted devices and services.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1041 Exfiltration Over C2 Channel Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-33583 - Arqit Symmetric Key Exposure via HTTP GET

Sigma YAML — free preview 
title: CVE-2026-33583 - Arqit Symmetric Key Exposure via HTTP GET
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects unauthenticated HTTP GET requests to the '/ota-quantum' endpoint with a 'qkey=' parameter, indicating potential exposure of QKEYs as described in CVE-2026-33583. This is a critical indicator of the vulnerability being exploited.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-33583/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'GET'
      cs-uri:
          - '/ota-quantum'
      cs-uri-query|contains:
          - 'qkey='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33583 Information Disclosure Arqit Symmetric Key Agreement Platform before 26.03
CVE-2026-33583 Information Disclosure Exposure of QKEY via unauthenticated and unencrypted HTTP GET method
CVE-2026-33583 Information Disclosure Exposure of internal system keys via unauthenticated and unencrypted HTTP GET method

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-326cwe-1391
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 6 Sigma

CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info

CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...

vulnerabilityCVEhigh-severitypath-traversalcwe-209
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk

CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...

vulnerabilityCVEhigh-severitycwe-436
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma