Description
Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18
Published: 2026-06-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) allows an authenticated, low‑privileged user to inject and execute arbitrary operating‑system commands on the PSMP host. The flaw is located in command handling logic that fails to neutralize special elements, resulting in a classic OS command‐injection weakness (CWE‑78). This can directly compromise the integrity and availability of the PSMP service by allowing the attacker to run any command on its host.

Affected Systems

The affected products are CyberArk Software, a Palo Alto Networks Company’s PAM Self‑Hosted and Privilege Cloud solutions. Versions prior to 15.0.2, 14.6.3, 14.2.5 and 14.0.6 contain the vulnerability as detailed in the vendor release notes.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability, and the EPSS score is not available, while it is not listed in the CISA KEV catalog. Exploitation requires a legitimate, authenticated account with low privileges accessing the PSMP web interface; once authenticated, the attacker can trigger the flaw to run arbitrary OS commands on the host, presenting a significant security risk for environments running vulnerable versions.

Generated by OpenCVE AI on June 11, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the fixed release (15.0.2 or later, or 14.6.3, 14.2.5, or 14.0.6).
  • Restrict access to the PSMP web interface to privileged accounts only.
  • Apply rigorous input validation for command parameters to block injection.

Generated by OpenCVE AI on June 11, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18
Title Idira Privileged Session Manager for SSH (PSMP): Arbitrary Command Execution via Improper Neutralization of Special Elements used in an OS Command
First Time appeared Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company pam Self-hosted Privilege Cloud
Weaknesses CWE-78
CPEs cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:pam_self-hosted_privilege_cloud:*:*:*:*:*:*:*:*
Vendors & Products Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company pam Self-hosted Privilege Cloud
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/U:Amber'}

Subscriptions

Cyberark Software A Palo Alto Networks Company Pam Self-hosted Privilege Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-06-11T21:50:40.403Z

Reserved: 2026-05-08T23:00:57.503Z

Link: CVE-2026-45172

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:57.320

Modified: 2026-06-11T22:16:57.320

Link: CVE-2026-45172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T00:00:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')