Idira Privileged Access Manager (PAM) Self-Hosted Vault: Denial of Service due to Unexpected Input Processing
CVE-2026-45169

8.7HIGH

Key Information:

Vendor

Cyberark Software, A Palo Alto Networks Company

Status
Pam Sh Vault
Vendor
CVE Published:
12 June 2026

Badges

👾 Exploit Exists

What is CVE-2026-45169?

Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 exhibit a validation vulnerability. Under specific circumstances and configuration scenarios, processing unexpected input could potentially lead to an unexpected service termination, resulting in a localized denial of service (DoS). CyberArk Security Bulletin: CA26-17

Affected Version(s)

PAM SH Vault 14.0 < 14.0.8

PAM SH Vault 14.2 < 14.2.7

PAM SH Vault 14.6 < 14.6.5

References

https://docs.cyberark.com/pam-self-hosted/latest/en/conte...
vendor-advisory
https://docs.cyberark.com/pam-self-hosted/latest/en/conte...
vendor-advisory
https://docs.cyberark.com/pam-self-hosted/latest/en/conte...
vendor-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue
.