Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints
CVE-2026-45178

8.4HIGH

Key Information:

Vendor: Cyberark Software, A Palo Alto Networks Company
Status: Conjur Enterprise
Vendor: CVE Published:; 11 June 2026

🔔 Create Cyberark Software, A Palo Alto Networks Company Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2026-45178?

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20

Affected Version(s)

Conjur Enterprise Central Credential Provider (CCP) 14.0 < 14.2.6

Conjur Enterprise Credential Provider (CP) 14.0 < 14.2.6

Conjur Enterprise Idira Secrets Manager 13.0 < 13.8.1

References

https://docs.cyberark.com/secrets-manager-sh/13.9/en/cont...

vendor-advisory

https://docs.cyberark.com/credential-providers/latest/en/...

vendor-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jun 11, 2026
Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 8, 2026

Credit

Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue

CVE-2026-45178 Data

JSON