Skip to main content

CyberArk PSM EUVDEUVD-2026-36365

| CVE-2026-45171 HIGH
Path Traversal (CWE-22)
2026-06-11 palo_alto GHSA-g3c5-h5qv-px3q
8.7
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
8.7 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Amber
vuln.today AI
8.8 HIGH

Network-reachable PSM service exploitable by any low-privileged authenticated user (PR:L) with no user interaction, yielding code execution and full CIA impact on the PSM host.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 12, 2026 - 05:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 05:28 vuln.today
v2 (cvss_changed)
Severity Changed
Jun 12, 2026 - 05:22 NVD
CRITICAL HIGH
CVSS changed
Jun 12, 2026 - 05:22 NVD
9.3 (CRITICAL) 8.7 (HIGH)
Re-analysis Queued
Jun 12, 2026 - 05:22 vuln.today
cvss_changed
Severity Changed
Jun 12, 2026 - 05:22 NVD
CRITICAL HIGH
CVSS changed
Jun 12, 2026 - 05:22 NVD
9.3 (CRITICAL) 8.7 (HIGH)
Patch available
Jun 12, 2026 - 02:01 EUVD
Analysis Generated
Jun 11, 2026 - 22:31 vuln.today

DescriptionCVE.org

Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18

AnalysisAI

Authenticated arbitrary code execution in CyberArk Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5 allows low-privileged users to escape intended boundaries through incomplete input validation combined with misconfigured folder permissions. Because PSM brokers privileged sessions to critical infrastructure, code execution here directly threatens vaulted credentials and downstream targets, making this a high-impact issue despite requiring authentication. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects the severity of compromising a PAM component.

Technical ContextAI

CyberArk PSM is the session-brokering component of the CyberArk Privileged Access Management (PAM) Self-Hosted suite (CPE cpe:2.3:a:cyberark_software...:privileged_session_manager,_vault), used to proxy and record privileged sessions to managed targets. The root cause maps to CWE-22 (Path Traversal): the application accepts user-controlled path-like input without sufficient canonicalization, and the underlying filesystem ACLs on PSM working folders grant write access where they should not. The combination means an attacker who can authenticate as a low-privileged PSM user can place or reference files outside of intended directories, ultimately reaching a code-execution sink - a classic path-traversal-to-RCE chain reported by Palo Alto Networks (now the parent of CyberArk) and tracked as CyberArk advisories CA26-17 and CA26-18.

RemediationAI

Vendor-released patch: upgrade PSM to 15.0.3, 14.6.3, 14.2.5, or 14.0.5 on the corresponding branch per CyberArk Security Bulletins CA26-17 and CA26-18, using the release notes linked above as the authoritative source for build numbers. Until patches can be deployed, tighten NTFS/ACL permissions on PSM installation and recordings directories so that the PSM service account is the only writer, audit and shrink the population of low-privileged PSM users (especially shared or vendor accounts), and restrict network access to the PSM web/RDP front end to a small jump-host range - these controls reduce who can reach the vulnerable input paths but do not eliminate the traversal sink, and over-tightening recording folder ACLs can break session-recording playback, so test before rolling out. Increase monitoring on PSM hosts for unexpected child processes of the PSM service and for file writes outside the standard recordings/working paths.

Share

EUVD-2026-36365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy