Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Local access required (AV:L) with an existing low-privileged account (PR:L); init-time race is reliable so AC:L; subverting the EPM daemon yields high C/I/A on the host.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19
AnalysisAI
Local privilege/integrity compromise in CyberArk Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allows an authenticated local attacker to interfere with the agent daemon's initialization sequence, potentially undermining the endpoint privilege controls the product is meant to enforce. The CVSS 4.0 score of 8.5 reflects high impact on confidentiality, integrity, and availability of the vulnerable system, though exploitation requires existing local access with low privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Idira Endpoint Privilege Manager (EPM), now part of CyberArk under Palo Alto Networks, is an endpoint security agent that enforces least-privilege policies on Linux hosts by mediating privileged operations. The CWE-404 (Improper Resource Shutdown or Release) classification, combined with the description's reference to daemon initialization, indicates the agent mishandles resources during startup - likely failing to securely acquire, lock, or release files, sockets, or other init-time artifacts. The CPE string cpe:2.3:a:cyberark_software,_a_palo_alto_networks_company:idira_endpoint_privilege_manager pins this to the EPM Linux Agent product line, with the fix landing in the 26.5 release per the vendor's Linux release notes.
RemediationAI
Vendor-released patch: Idira Endpoint Privilege Manager Linux Agent 26.5, as documented in CyberArk Security Bulletin CA26-19 and the Linux release notes at https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-os-linux.htm#Version2650 - upgrade all Linux endpoints running EPM to 26.5 or later as the primary fix. Until patching is complete, restrict interactive and SSH access on EPM-protected hosts to trusted administrators only, since exploitation requires local low-privilege access; additionally, monitor agent service start/stop events and the integrity of the EPM daemon's init-time files, sockets, and PID files for tampering, and alert on unexpected restarts that could indicate an attacker racing the daemon during initialization. These compensating controls reduce opportunity but do not eliminate the flaw, and aggressive lockdown of shell access may impact legitimate operators, so plan the upgrade as the durable remediation.
Local privilege escalation in CyberArk (Idira) Endpoint Privilege Manager Agent versions prior to 26.5 allows low-privil
Local privilege escalation and self-defense bypass in CyberArk (Palo Alto Networks) Idira Endpoint Privilege Manager Age
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36362
GHSA-6rr3-cp4w-m97q