HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45169Published Modified CNA palo_alto

CVE-2026-45169: Idira Privileged Access Manager (PAM) Self-Hosted Vault: Denial of Service due to Unexpected Input Processing

Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 exhibit a validation vulnerability. Under specific circumstances and configuration scenarios, processing unexpected input could potentially lead to an unexpected service termination, resulting in a localized denial of service (DoS). CyberArk Security Bulletin: CA26-17

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
14.0.8
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An input-validation vulnerability in Idira Privileged Access Manager (PAM) Self-Hosted Vault allows an unauthenticated remote attacker to crash the vault service by sending unexpected input. The service is reachable over the network and requires no credentials or user interaction to trigger. Successful exploitation terminates the vault process, causing a localized denial of service and degrading dependent systems to a lesser extent. Patched-image rebuilds at versions 14.0.8, 14.2.7, 14.6.5, and 15.0.3 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-45169 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that layer Idira PAM Self-Hosted Vault components.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 8.7 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at the applicable fix version (14.0.8, 14.2.7, 14.6.5, or 15.0.3 depending on the installed branch) becomes available in HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can execute a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the PAM Self-Hosted Vault service over the network; no local or physical access is needed.

  • AuthenticationNot required

    No credentials are needed; the malformed input can be submitted by any unauthenticated caller the network permits to reach the service.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and repeatable without depending on race conditions or specific environmental state.

Blast Radius

  • Crashes the PAM Self-Hosted Vault process, making privileged credential retrieval and session management unavailable until the service is restarted.
  • Causes localized degradation of systems and workflows that depend on the vault for just-in-time access or secrets injection.
  • Does not expose stored credentials or session data (confidentiality impact is none) and does not modify any persisted vault records (integrity impact is none).
  • Downstream systems connected to the vault may experience reduced availability at low severity while the vault is offline.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45169 is matched against images within minutes of advisory publication, covering all four affected version branches (14.0, 14.2, 14.6, and 15.0). Where compliance policy permits, a patched-image rebuild at the correct fix version is made available automatically, and customers with auto-remediation enabled receive a rebuilt image, a regression test run, and a pull request opened against affected workloads. For HIGH-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Until a patched image is deployed, compensating controls worth considering include network-policy rules that restrict vault API exposure to known client CIDRs only, rate-limiting or connection throttling at the ingress layer to reduce the attacker's ability to repeatedly trigger the crash, and alerting on abnormal vault process-restart events to catch active exploitation attempts early.

See how HarborGuard automates this

Fix available

14.0.814.2.714.6.515.0.3
Affected packages
  • CyberArk Software, a Palo Alto Networks Company / PAM SH Vault
    < 14.0.8 (from 14.0) · < 14.2.7 (from 14.2) · < 14.6.5 (from 14.6) · < 15.0.3 (from 15.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/U:Amber
References