Skip to main content

Idira Secrets Manager CVE-2026-45177

| EUVDEUVD-2026-36289 CRITICAL
Improper Access Control (CWE-284)
2026-06-11 palo_alto GHSA-6x94-6f82-g4jw
9.1
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vuln.today AI
7.4 HIGH

Network-reachable and unauthenticated (AV:N/PR:N/UI:N); AC:H mirrors 4.0 AT:P and 'under specific circumstances'; token theft yields C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:23 vuln.today

DescriptionCVE.org

Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20

AnalysisAI

Authentication bypass in Idira Secrets Manager SaaS Edge prior to version 1.8 allows remote unauthenticated attackers to obtain valid access tokens by submitting specially crafted requests that subvert internal validation logic. Reported by Palo Alto Networks researchers and tracked under CyberArk Security Bulletin CA26-20, the flaw carries a CVSS 4.0 score of 9.1 (Critical) due to high confidentiality and integrity impact on a product whose entire purpose is custody of enterprise secrets. There is no public exploit identified at time of analysis, but the secrets-management use case makes any token theft a high-leverage compromise.

Technical ContextAI

Idira Secrets Manager SaaS Edge is a cloud-connected component of CyberArk's secrets-management platform (CPE strings tie the finding to the CyberArk/Conjur Cloud Edge product line, now under Palo Alto Networks ownership) that brokers identity verification before issuing access tokens used to retrieve secrets. The root cause is CWE-284 (Improper Access Control) within the internal authentication components: the Edge does not correctly enforce who may invoke or influence its validation routines, so a crafted request can manipulate the trust decision that should distinguish legitimate identities from attackers. Because access tokens are the currency that downstream services use to retrieve credentials from the vault, a flaw in the issuance path effectively short-circuits every authorization control that depends on those tokens.

RemediationAI

Vendor-released patch: 1.8 - upgrade every Idira Secrets Manager SaaS Edge instance to 1.8 or later as tracked in CyberArk Security Bulletin CA26-20 and the release notes at https://docs.cyberark.com/secrets-manager-saas/latest/en/content/conjurcloud/whatsnew.htm#May132026. Until the upgrade is rolled out, restrict network exposure of the Edge's authentication endpoints to known administrative CIDR ranges or VPN-only access (trade-off: breaks any legitimate workload reaching the Edge from those blocked networks) and rotate any access tokens or downstream secrets that the Edge may have issued during the exposure window so a stolen token cannot be replayed post-patch. Enable and review Edge authentication audit logs for anomalous token issuance, especially requests that succeeded without a corresponding identity-provider event, and tighten alerting thresholds during the remediation window.

Share

CVE-2026-45177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy