Skip to main content

Idira Endpoint Privilege Manager CVE-2026-45174

| EUVDEUVD-2026-36362 HIGH
Improper Resource Shutdown or Release (CWE-404)
2026-06-11 palo_alto GHSA-6rr3-cp4w-m97q
8.5
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vuln.today AI
7.8 HIGH

Local access required (AV:L) with an existing low-privileged account (PR:L); init-time race is reliable so AC:L; subverting the EPM daemon yields high C/I/A on the host.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 23:01 EUVD
Analysis Generated
Jun 11, 2026 - 21:51 vuln.today
CVE Published
Jun 11, 2026 - 21:22 cve.org
HIGH 8.5

DescriptionCVE.org

Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19

AnalysisAI

Local privilege/integrity compromise in CyberArk Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allows an authenticated local attacker to interfere with the agent daemon's initialization sequence, potentially undermining the endpoint privilege controls the product is meant to enforce. The CVSS 4.0 score of 8.5 reflects high impact on confidentiality, integrity, and availability of the vulnerable system, though exploitation requires existing local access with low privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Idira Endpoint Privilege Manager (EPM), now part of CyberArk under Palo Alto Networks, is an endpoint security agent that enforces least-privilege policies on Linux hosts by mediating privileged operations. The CWE-404 (Improper Resource Shutdown or Release) classification, combined with the description's reference to daemon initialization, indicates the agent mishandles resources during startup - likely failing to securely acquire, lock, or release files, sockets, or other init-time artifacts. The CPE string cpe:2.3:a:cyberark_software,_a_palo_alto_networks_company:idira_endpoint_privilege_manager pins this to the EPM Linux Agent product line, with the fix landing in the 26.5 release per the vendor's Linux release notes.

RemediationAI

Vendor-released patch: Idira Endpoint Privilege Manager Linux Agent 26.5, as documented in CyberArk Security Bulletin CA26-19 and the Linux release notes at https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-os-linux.htm#Version2650 - upgrade all Linux endpoints running EPM to 26.5 or later as the primary fix. Until patching is complete, restrict interactive and SSH access on EPM-protected hosts to trusted administrators only, since exploitation requires local low-privilege access; additionally, monitor agent service start/stop events and the integrity of the EPM daemon's init-time files, sockets, and PID files for tampering, and alert on unexpected restarts that could indicate an attacker racing the daemon during initialization. These compensating controls reduce opportunity but do not eliminate the flaw, and aggressive lockdown of shell access may impact legitimate operators, so plan the upgrade as the durable remediation.

Share

CVE-2026-45174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy