How is CVE-2026-45171 exploited?

Network reachability (required): The attacker must reach the PSM service over the network; there is no requirement for local or physical access to the host. Authentication (required): A valid low-privilege account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker interacts directly with the PSM service. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or environmental prerequisites required to succeed.

What is the impact of CVE-2026-45171?

Executes arbitrary code on the PSM host under the permissions of the running service process. Reads credentials, session recordings, and privileged account data managed by the PSM vault. Modifies or deletes session logs and audit trails, undermining forensic integrity. Disrupts availability of the PSM service, blocking privileged access workflows across connected systems.

Back to search

HIGHCVE-2026-45171Published 2026-06-11Modified 2026-06-13CNA palo_alto

CVE-2026-45171: Idira Privileged Session Manager (PSM): Potential Code Execution due to an Incomplete Input Validation

Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 14.0.5
Affected Products: 1

HarborGuard Analysis

Synopsis

An incomplete input validation vulnerability combined with improperly configured folder permissions affects Idira Privileged Session Manager (PSM) versions prior to 14.0.5, 14.2.5, 14.6.3, and 15.0.3. The flaw is reachable over the network and requires only a low-privileged authenticated account, meaning any user with a basic login can attempt exploitation without needing administrative rights. Successful exploitation gives the attacker arbitrary code execution on the PSM host. Patched-image rebuilds at versions 14.0.5, 14.2.5, 14.6.3, and 15.0.3 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle PSM components.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 4.0 8.7 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are then routable to the appropriate team inbox within the customer org based on asset ownership rules.

Available

Patch

A patched-image rebuild at the fix versions (14.0.5, 14.2.5, 14.6.3, or 15.0.3 depending on the affected branch) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the PSM service over the network; there is no requirement for local or physical access to the host.
AuthenticationRequired
A valid low-privilege account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker interacts directly with the PSM service.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or environmental prerequisites required to succeed.

Blast Radius

Executes arbitrary code on the PSM host under the permissions of the running service process.
Reads credentials, session recordings, and privileged account data managed by the PSM vault.
Modifies or deletes session logs and audit trails, undermining forensic integrity.
Disrupts availability of the PSM service, blocking privileged access workflows across connected systems.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45171 is active across ingestion pipelines and will flag any image running a PSM version below the fix thresholds (14.0.5, 14.2.5, 14.6.3, or 15.0.3). Given the HIGH severity and network-reachable, low-privilege attack path, this CVE qualifies for expedited triage routing under standard HarborGuard policy. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the appropriate fix version, execute regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before merging, the PR and associated test results are staged and waiting for review. Customers not yet on a fix branch should consider isolating PSM endpoints with network policy rules that restrict inbound access to known privileged-access workstations until the patched image is deployed.

See how HarborGuard automates this

Fix available

14.0.514.2.514.6.315.0.3

Affected packages

CyberArk Software, a Palo Alto Networks Company / Privileged Session Manager, Vault
< 14.0.5 (from 14.0) · < 14.2.5 (from 14.2) · < 14.6.3 (from 14.6) · < 15.0.3 (from 15.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/RE:M/U:Amber

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available