Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Network-reachable and unauthenticated (AV:N/PR:N/UI:N); AC:H mirrors 4.0 AT:P and 'under specific circumstances'; token theft yields C:H/I:H, no availability impact.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20
AnalysisAI
Authentication bypass in Idira Secrets Manager SaaS Edge prior to version 1.8 allows remote unauthenticated attackers to obtain valid access tokens by submitting specially crafted requests that subvert internal validation logic. Reported by Palo Alto Networks researchers and tracked under CyberArk Security Bulletin CA26-20, the flaw carries a CVSS 4.0 score of 9.1 (Critical) due to high confidentiality and integrity impact on a product whose entire purpose is custody of enterprise secrets. There is no public exploit identified at time of analysis, but the secrets-management use case makes any token theft a high-leverage compromise.
Technical ContextAI
Idira Secrets Manager SaaS Edge is a cloud-connected component of CyberArk's secrets-management platform (CPE strings tie the finding to the CyberArk/Conjur Cloud Edge product line, now under Palo Alto Networks ownership) that brokers identity verification before issuing access tokens used to retrieve secrets. The root cause is CWE-284 (Improper Access Control) within the internal authentication components: the Edge does not correctly enforce who may invoke or influence its validation routines, so a crafted request can manipulate the trust decision that should distinguish legitimate identities from attackers. Because access tokens are the currency that downstream services use to retrieve credentials from the vault, a flaw in the issuance path effectively short-circuits every authorization control that depends on those tokens.
RemediationAI
Vendor-released patch: 1.8 - upgrade every Idira Secrets Manager SaaS Edge instance to 1.8 or later as tracked in CyberArk Security Bulletin CA26-20 and the release notes at https://docs.cyberark.com/secrets-manager-saas/latest/en/content/conjurcloud/whatsnew.htm#May132026. Until the upgrade is rolled out, restrict network exposure of the Edge's authentication endpoints to known administrative CIDR ranges or VPN-only access (trade-off: breaks any legitimate workload reaching the Edge from those blocked networks) and rotate any access tokens or downstream secrets that the Edge may have issued during the exposure window so a stolen token cannot be replayed post-patch. Enable and review Edge authentication audit logs for anomalous token issuance, especially requests that succeeded without a corresponding identity-provider event, and tighten alerting thresholds during the remediation window.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36289
GHSA-6x94-6f82-g4jw