How is CVE-2026-45170 exploited?

Network reachability (info): The attacker must be positioned on an adjacent network, LAN, or VPN segment; remote exploitation over the open internet is not possible with this attack vector. Authentication (not-required): No credentials or prior account access are needed to attempt the attack. Victim interaction (required): The attack requires some level of interaction from a person on the target system, introducing a social-engineering or timing dependency. Attack complexity (info): Exploitation is generally reliable but depends on specific configuration scenarios or environmental conditions being present (AT:P), meaning the attacker may need to wait for or trigger a particular state.

What is the impact of CVE-2026-45170?

Reads plaintext credentials or session tokens in transit between the connector and the privileged access management backend. Modifies commands or responses in the TLS stream, allowing injection of unauthorized privileged-session instructions. Crashes or disrupts the connector service, blocking privileged access workflows for administrators and managed accounts. Combines credential capture with session replay to pivot into downstream privileged systems managed by the connector.

Back to search

HIGHCVE-2026-45170Published 2026-06-12Modified 2026-06-12CNA palo_alto

CVE-2026-45170: Idira Privilege Cloud Connector: Potential Security Bypass due to Incomplete TLS Certificate Validation

Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced. CyberArk Security Bulletin: CA26-17

CVSS v4.0: 7.5
Severity: HIGH
Fixed in: 1.1.100504
Affected Products: 1

HarborGuard Analysis

Synopsis

Incomplete TLS certificate validation in CyberArk Idira Privilege Cloud Connector (versions 1.1.0 through before 1.1.100504) allows a network-adjacent attacker, under specific configuration conditions, to bypass certificate checks. No authentication is required, though the attacker must be positioned on the same network segment, LAN, or VPN and must elicit some interaction from the victim. Successful exploitation gives the attacker full read, write, and availability impact on the connector, enabling credential interception, session hijacking, or disruption of privileged access workflows. A patched-image rebuild at version 1.1.100504 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45170 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle the Idira Privilege Cloud Connector.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy, then routes findings to the appropriate team inbox within the customer org based on configured escalation rules.

Available

Patch

A patched-image rebuild at version 1.1.100504 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be positioned on an adjacent network, LAN, or VPN segment; remote exploitation over the open internet is not possible with this attack vector.
AuthenticationNot required
No credentials or prior account access are needed to attempt the attack.
Victim interactionRequired
The attack requires some level of interaction from a person on the target system, introducing a social-engineering or timing dependency.
Attack complexityDetail
Exploitation is generally reliable but depends on specific configuration scenarios or environmental conditions being present (AT:P), meaning the attacker may need to wait for or trigger a particular state.

Blast Radius

Reads plaintext credentials or session tokens in transit between the connector and the privileged access management backend.
Modifies commands or responses in the TLS stream, allowing injection of unauthorized privileged-session instructions.
Crashes or disrupts the connector service, blocking privileged access workflows for administrators and managed accounts.
Combines credential capture with session replay to pivot into downstream privileged systems managed by the connector.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45170 is active across all scanning pipelines, covering registry images and pipeline builds that include the affected connector versions. For environments where a vulnerable image is identified, a rebuilt image at the fixed version 1.1.100504 is made available. Customers who opt into auto-remediation receive a full rebuild, a regression-test run, and an automated PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits, HarborGuard will trigger this flow without manual intervention. For environments where auto-remediation is not enabled, the finding is surfaced in the triage queue with fix-version details so teams can act directly. Until patched, network-policy controls that restrict connector traffic to known-good internal segments reduce the exposure window by limiting which hosts can reach the connector on its listening interface.

See how HarborGuard automates this

Fix available

1.1.100504

Affected packages

CyberArk Software, a Palo Alto Networks Company / PAM SH Connector
< 1.1.100504 (from 1.1.0)

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber

References

docs.cyberark.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available