How is CVE-2026-45172 exploited?

Network reachability (required): The attacker must reach the PSMP service over the network; the vulnerability is exposed via a network-accessible endpoint (AV:N). Authentication (required): Any valid low-privilege account is sufficient to trigger the vulnerability; no administrative rights are needed (PR:L). Victim interaction (not-required): No action from another user or administrator is needed to complete the attack (UI:N). Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors must align (AC:L, AT:N).

What is the impact of CVE-2026-45172?

Reads sensitive data accessible to the PSMP process, including credentials, session metadata, and host configuration files (VC:H). Modifies files, processes, or system state on the PSMP host with the privileges of the compromised process (VI:H). Causes limited degradation of PSMP service availability; full denial of service is not indicated by impact scoring (VA:L). Impact is confined to the PSMP host itself; no lateral spread to systems outside the security scope is indicated (SC:N, SI:N, SA:N).

Back to search

HIGHCVE-2026-45172Published 2026-06-11Modified 2026-06-13CNA palo_alto

CVE-2026-45172: Idira Privileged Session Manager for SSH (PSMP): Arbitrary Command Execution via Improper Neutralization of Special Elements used in an OS Command

Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 14.0.6
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects Idira Privileged Session Manager for SSH (PSMP) by CyberArk (a Palo Alto Networks company) in versions prior to 14.0.6, 14.2.5, 14.6.3, and 15.0.2. The flaw is reachable over the network by any authenticated low-privilege user, with no victim interaction required, due to incomplete input validation that fails to neutralize special characters before passing them to an OS-level command. Successful exploitation lets the attacker run arbitrary commands directly on the PSMP host. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle PSMP components.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 8.7 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are then routable to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at versions 14.0.6, 14.2.5, 14.6.3, or 15.0.2 (matched to the customer's installed branch) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the PSMP service over the network; the vulnerability is exposed via a network-accessible endpoint (AV:N).
AuthenticationRequired
Any valid low-privilege account is sufficient to trigger the vulnerability; no administrative rights are needed (PR:L).
Victim interactionNot required
No action from another user or administrator is needed to complete the attack (UI:N).
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors must align (AC:L, AT:N).

Blast Radius

Reads sensitive data accessible to the PSMP process, including credentials, session metadata, and host configuration files (VC:H).
Modifies files, processes, or system state on the PSMP host with the privileges of the compromised process (VI:H).
Causes limited degradation of PSMP service availability; full denial of service is not indicated by impact scoring (VA:L).
Impact is confined to the PSMP host itself; no lateral spread to systems outside the security scope is indicated (SC:N, SI:N, SA:N).

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, matching affected PSMP image versions across customer registries and pipelines. Where compliance policy permits, HarborGuard can initiate a patched-image rebuild targeting the appropriate fix branch (14.0.6, 14.2.5, 14.6.3, or 15.0.2). For customers who opt into auto-remediation, the full flow (rebuild, regression run, and PR opened against affected workloads) is available; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS scoring and routes it to the configured team inbox so engineers can apply the upstream fix manually. Given that this vulnerability allows arbitrary command execution on the PSMP host by any authenticated user, prioritizing upgrade to a fixed version is strongly advised.

See how HarborGuard automates this

Fix available

14.0.614.2.514.6.315.0.2

Affected packages

CyberArk Software, a Palo Alto Networks Company / PAM Self-Hosted, Privilege Cloud
< 14.0.6 (from 14.0) · < 14.2.5 (from 14.2) · < 14.6.3 (from 14.6) · < 15.0.2 (from 15.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/U:Amber

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available