Idira Privileged Session Manager for SSH (PSMP): Arbitrary Command Execution via Improper Neutralization of Special Elements used in an OS Command
CVE-2026-45172

8.7HIGH

Key Information:

Vendor: Cyberark Software, A Palo Alto Networks Company
Status: Pam Self-hosted, Privilege Cloud
Vendor: CVE Published:; 11 June 2026

🔔 Create Cyberark Software, A Palo Alto Networks Company Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2026-45172?

Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18

Affected Version(s)

PAM Self-Hosted, Privilege Cloud 14.0 < 14.0.6

PAM Self-Hosted, Privilege Cloud 14.2 < 14.2.5

PAM Self-Hosted, Privilege Cloud 14.6 < 14.6.3

References

https://docs.cyberark.com/pam-self-hosted/latest/en/conte...

vendor-advisory

https://docs.cyberark.com/pam-self-hosted/latest/en/conte...

vendor-advisory

https://docs.cyberark.com/pam-self-hosted/latest/en/conte...

vendor-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jun 11, 2026
Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 8, 2026

Credit

Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue

CVE-2026-45172 Data

.