Skip to main content

CyberArk Endpoint Privilege Manager CVE-2026-45176

| EUVDEUVD-2026-36291 HIGH
Improper Privilege Management (CWE-269)
2026-06-11 palo_alto GHSA-5cgm-xvc8-25j7
8.9
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
8.9 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vuln.today AI
7.0 HIGH

Local attacker needs an existing low-priv shell (PR:L), race/condition-dependent IPC abuse justifies AC:H, and successful exploitation yields full SYSTEM/root impact across C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:24 vuln.today

DescriptionCVE.org

Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19

AnalysisAI

Local privilege escalation in CyberArk (Idira) Endpoint Privilege Manager Agent versions prior to 26.5 allows low-privileged users on Windows, macOS, and Linux endpoints to abuse improper access controls in high-privileged agent components and execute actions with elevated privileges. The flaw was reported by Palo Alto Networks (CyberArk's parent) and addressed in agent version 26.5.0, with no public exploit identified at time of analysis. Because EPM is itself a privilege-management control, a bypass directly undermines the security posture of every endpoint where it is deployed.

Technical ContextAI

The affected component is the CyberArk Endpoint Privilege Manager (EPM) Agent - a cross-platform endpoint security agent that brokers elevation requests and enforces least-privilege policies on Windows, macOS, and Linux hosts (per CPE cpe:2.3:a:cyberark_software...:idira_endpoint_privilege_manager). The root cause is classified as CWE-269 (Improper Privilege Management): high-privileged agent processes expose an internal IPC channel or perform file operations without adequately validating the caller's authorization, so a low-privileged process running on the same host can manipulate that interface to coerce the agent into performing privileged actions on its behalf. This is a classic local-IPC/file-operation trust boundary failure inside a SYSTEM/root-level service.

RemediationAI

Vendor-released patch: upgrade the CyberArk Endpoint Privilege Manager Agent to version 26.5.0 or later on all Windows, macOS, and Linux endpoints, per CyberArk Security Bulletin CA26-19 and the per-OS release notes (rn-os-windows.htm#Version2650, rn-os-macos.htm#Version2650, rn-os-linux.htm#Version2650). Because the vulnerability is local and requires code execution as a low-privileged user on the endpoint, compensating controls until rollout completes include tightening endpoint application-control policies to block untrusted binaries from running, restricting interactive logon and remote-shell access to endpoints with the vulnerable agent, and monitoring for unexpected child processes spawned by the EPM agent service or unusual file activity in directories used by its IPC - note these controls reduce but do not eliminate exposure and may generate additional policy-deny noise. Do not disable the EPM agent as a workaround, since that removes the very privilege-management control the product provides.

Share

CVE-2026-45176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy