CVE-2026-45178 PUBLISHED

Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints

Assigner: palo_alto
Reserved: 08.05.2026 Published: 11.06.2026 Updated: 11.06.2026

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/U:Amber
CVSS Score: 8.4

Product Status

Vendor CyberArk Software, a Palo Alto Networks Company
Product Conjur Enterprise
Versions Default: unaffected
  • affected from 13.0 to 13.8.1 (excl.)
Vendor CyberArk Software, a Palo Alto Networks Company
Product Conjur Enterprise
Versions Default: unaffected
  • affected from 14.0 to 14.2.6 (excl.)
Vendor CyberArk Software, a Palo Alto Networks Company
Product Conjur Enterprise
Versions Default: unaffected
  • affected from 14.0 to 14.2.6 (excl.)
Vendor CyberArk Software, a Palo Alto Networks Company
Product Conjur Enterprise
Versions Default: unaffected
  • affected from 14.0 to 14.2.6 (excl.)

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

  • Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue finder

References

Problem Types

  • CWE-284: Improper Access Control CWE

Impacts

  • CAPEC-130 Excessive Allocation