CVE-2026-45177 | Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibi… | CVSS 9.1 CRITICAL

Description

Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20

Metadata

CVE ID: CVE-2026-45177
State: PUBLISHED
Assigner: palo_alto
Reserved: 2026-05-08 23:01 UTC
Published: 2026-06-11 18:40 UTC
Last updated: 2026-06-11 19:03 UTC
Primary CWE: CWE-284
CWE-284: Improper Access Control
Vendor / Product: CyberArk Software, a Palo Alto Networks Company / Conjur Cloud (Edge Finding only)
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Amber

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
CyberArk Software, a Palo Alto Networks Company	Conjur Cloud (Edge Finding only)	Idira Secrets Manager Saas - Edge	1.0 < 1.8

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	CWE-284: Improper Access Control

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.1	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Amber

References (1)

https://docs.cyberark.com/secrets-manager-saas/latest/en/content/conjurcloud/whatsnew.htm#May132026