In Unisys Stealth 3.4.x, 4.x and 5.x prior to 5.0.026, if certificate-based authorization is used without HTTPS, an endpoint could be authorized without a private key.
unisys stealth