Description
Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20
Published: 2026-06-11
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Idira Secrets Manager SaaS Edge versions before 1.8 had an improper access‑control flaw in its internal authentication components. A remote attacker can craft a specific request that manipulates the internal validation step and bypasses identity verification, allowing the attacker to obtain an access token without proper authentication. The resulting token grants the attacker the same permissions as the targeted identity, enabling unauthorized data access or further lateral movement.

Affected Systems

This vulnerability affects CyberArk Software’s Conjur Cloud (Edge Finding only) product, known as Idira Secrets Manager SaaS Edge, in all releases prior to version 1.8. Users running those releases are at risk if exposed to the public network.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑impact risk, and while the EPSS score is not published, the absence from CISA’s KEV list suggests no current widely‑publicized exploit activity. The likely attack vector is a remote, unauthenticated network request to the Edge service, where the crafted request reaches the internal authentication logic. If exploited, the attacker could impersonate any user or application that relies on the issued token, potentially compromising system integrity and confidentiality.

Generated by OpenCVE AI on June 11, 2026 at 22:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Idira Secrets Manager SaaS Edge to version 1.8 or later when the vendor releases the fix.
  • Enforce strict role‑based access controls so that only authenticated identities can request an access token.
  • Enable comprehensive audit logging for all token‑generation requests and monitor for anomalous activity.
  • Restrict network access to the Edge service, allowing only trusted hosts or VPNs, to reduce exposure to unauthenticated requests.

Generated by OpenCVE AI on June 11, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20
Title Idira Secrets Manager SaaS Edge: Authentication Bypass of an internal validation mechanism
First Time appeared Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company conjur Cloud Edge Finding Only
Weaknesses CWE-284
CPEs cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:conjur_cloud_edge_finding_only_:*:*:idira_secrets_manager_saas_-_edge:*:*:*:*:*
Vendors & Products Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company conjur Cloud Edge Finding Only
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Amber'}

Subscriptions

Cyberark Software A Palo Alto Networks Company Conjur Cloud Edge Finding Only
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-06-11T19:03:36.828Z

Reserved: 2026-05-08T23:01:00.502Z

Link: CVE-2026-45177

cve-icon Vulnrichment

Updated: 2026-06-11T19:03:24.694Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T19:16:41.903

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-45177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:15:09Z

Weaknesses