Description
Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted webpage, this interaction could potentially allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session. CyberArk Security Bulletin: CA26-21
Published: 2026-06-11
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an origin validation flaw within the extension’s internal page verification, allowing an attacker to craft a malicious webpage that causes the extension to perform actions outside its intended scope. If an authenticated user visits such a page, the attacker could trigger unauthorized commands or adjust execution parameters within the browser session. The primary impact is that the attacker gains the same privileges as the authenticated user in the context of the extension, potentially facilitating further compromise of the user’s system.

Affected Systems

CyberArk’s Identity Browser Extensions for Chrome, Edge, and Firefox versions earlier than 26.8.1 are affected. These extensions run in the user’s browser and are distributed by CyberArk, a Palo Alto Networks company.

Risk and Exploitability

The flaw has a CVSS score of 8.4, reflecting high severity. The EPSS value is not available, and the vulnerability is not currently listed in CISA’s KEV catalog, indicating no known publicly released exploits yet. However, the attack vector requires a social engineering or phishing scenario where an authenticated user is tricked into visiting a crafted webpage, making proactive application of the patch highly advisable.

Generated by OpenCVE AI on June 11, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Identity Browser Extension to version 26.8.1 or later on all supported browsers.
  • Verify that the extension’s origin validation is enabled and enforce restrictions on loading content from untrusted origins via browser policies where possible.
  • Disable or block the extension on devices that cannot be immediately upgraded to mitigate risk until the patch is applied.

Generated by OpenCVE AI on June 11, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted webpage, this interaction could potentially allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session. CyberArk Security Bulletin: CA26-21
Title Idira Identity Browser Extension: Unauthorized Application Interaction via Origin Validation Failure
First Time appeared Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company identity Browser Extensions
Weaknesses CWE-346
CPEs cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:identity_browser_extensions:*:*:chrome:*:*:*:*:*
cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:identity_browser_extensions:*:*:edge:*:*:*:*:*
cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:identity_browser_extensions:*:*:firefox:*:*:*:*:*
Vendors & Products Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company identity Browser Extensions
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N/U:Amber'}

Subscriptions

Cyberark Software A Palo Alto Networks Company Identity Browser Extensions
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-06-11T21:33:25.484Z

Reserved: 2026-05-08T23:00:57.503Z

Link: CVE-2026-45173

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:57.470

Modified: 2026-06-11T22:16:57.470

Link: CVE-2026-45173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:30:05Z

Weaknesses