Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Network-reachable internal endpoint with low complexity; PR:L because standard node credentials are required; scope changes as a compromised node exposes secrets governing other systems, with high confidentiality and partial availability impact.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20
AnalysisAI
Improper access control in CyberArk Conjur Enterprise (Idira Secrets Manager Self-Hosted) versions 13.8.0 and earlier allows authenticated attackers with standard node-level credentials to abuse internal cluster endpoints to retrieve unauthorized secrets or trigger denial of service. The flaw is rated CVSS 4.0 base 8.4 with high confidentiality impact extending to subsequent systems, but no public exploit identified at time of analysis. CyberArk has published Security Bulletin CA26-20 alongside fixed releases.
Technical ContextAI
The affected product is CyberArk Conjur Enterprise (rebranded under the Idira Secrets Manager Self-Hosted line), a clustered secrets-management platform that brokers credentials, API keys, and certificates for applications and infrastructure. The flaw is classified as CWE-284 (Improper Access Control) and resides in internal cluster endpoints - interfaces intended for node-to-node coordination within a Conjur deployment. These endpoints apparently fail to enforce role separation between standard node identities and privileged cluster operations, letting any holder of node-level credentials reach functionality that should be restricted to the cluster control plane. The CPE data lists multiple wildcard cpe:2.3:a:cyberark_software,_a_palo_alto_networks_company:conjur_enterprise entries, confirming the Conjur Enterprise codebase as the impacted asset.
RemediationAI
Upgrade Conjur Enterprise / Secrets Manager Self-Hosted to version 13.8.1 or later as identified by CyberArk Security Bulletin CA26-20 and the 13.8.1 release notes at https://docs.cyberark.com/secrets-manager-sh/13.9/en/content/enterprise/releasenotes/release-notes-13.8.1.htm; operators running the Credential Providers stack should also review the 14.2.6 advisory at https://docs.cyberark.com/credential-providers/latest/en/content/landingpages/cp-wn-rn-14.2.6.htm to align component versions. Until patching is complete, restrict network reachability of the internal cluster endpoints to the Conjur node mesh only using firewall or security-group rules, segment the cluster onto a dedicated management network unreachable from application tiers, and rotate any node-level credentials suspected of exposure - note that overly aggressive segmentation can disrupt cluster replication and HA failover, so changes should be staged. Monitoring node-credential authentication patterns and access to cluster-internal routes for anomalous use is a reasonable compensating control while change windows are scheduled.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36296
GHSA-gvf5-9x7p-qfqc