Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Adjacent MITM with specific config and operator-triggered TLS session justifies AV:A, AC:H, UI:R; PR:N as no Connector auth needed; C:H/I:H for intercepted credentials, A:N as no availability impact.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced. CyberArk Security Bulletin: CA26-17
AnalysisAI
Improper TLS certificate validation in CyberArk (Palo Alto Networks) Privilege Cloud Connector (PAM SH Connector, branded 'Idira') versions prior to 1.1.100504 allows adjacent-network attackers to intercept or tamper with privileged-access traffic under specific configuration scenarios. The flaw is rated CVSS 4.0 7.5 with no public exploit identified at time of analysis, but the Connector's role as a broker for secrets and privileged sessions makes successful exploitation highly impactful. Reported by Palo Alto with disclosure tracked under CyberArk Security Bulletin CA26-17.
Technical ContextAI
The affected component is CyberArk's Privilege Cloud Connector (CPE cyberark_software:pam_sh_connector), a Linux-based broker that proxies privileged sessions and secret retrieval between on-premises targets and the CyberArk Privilege Cloud SaaS. The weakness is classified as CWE-295 (Improper Certificate Validation), meaning the TLS client either skips, partially implements, or misconfigures peer certificate verification (e.g., not validating the certificate chain, hostname, or revocation status) when establishing outbound TLS sessions under certain deployment conditions. Because the Connector terminates and forwards privileged credential traffic, any TLS trust gap directly undermines the confidentiality and integrity guarantees the product is designed to provide.
RemediationAI
Upgrade the Privilege Cloud Connector to version 1.1.100504 or later, which is the vendor-released patched build identified in CyberArk Security Bulletin CA26-17 (https://docs.cyberark.com/). Until the upgrade is deployed, restrict the Connector's network exposure so that only trusted, segmented paths reach it - specifically, place the Connector on a dedicated management VLAN with no adjacent untrusted hosts, and require mutual TLS or IPsec on the upstream link to Privilege Cloud where supported (trade-off: added operational complexity and potential session-establishment failures if certificates are misaligned). Audit Connector configuration for any non-default options that weaken TLS verification (custom CA bundles, disabled hostname checks) and revert them; note that tightening verification may break sessions to targets using self-signed or expired internal certificates, which should be re-issued from a trusted internal CA before enforcement.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36371
GHSA-4pc6-w92r-32xw