CVE-2026-45173: Idira Identity Browser Extension: Unauthorized Application Interaction via Origin Validation Failure

Synopsis

An origin validation failure in the Idira Identity Browser Extension (Chrome, Firefox, and Edge builds, versions 26.0.0 through 26.8.1) allows a remote attacker to trigger unauthorized application interaction within an authenticated browser session. The attack is delivered over the network and requires no authentication on the attacker's part, but does require the victim to visit a specially crafted webpage. Successful exploitation lets an attacker read sensitive data and manipulate application state within the context of the victim's authenticated session. A patched-image rebuild at version 26.8.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker delivers the malicious payload over the network; the victim's browser must be able to reach the attacker-controlled webpage.

• AuthenticationNot required

  No credentials or account on the target system are needed; the attacker requires no prior authentication.

• Victim interactionRequired

  The victim must navigate to a specially crafted webpage, requiring a social-engineering step to lure the authenticated user to the attacker-controlled URL.

• Attack complexityDetail

  Attack complexity is low; the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

• Reads sensitive data accessible within the authenticated browser session, including stored credentials or session tokens managed by the Idira extension.
• Modifies application interaction parameters within the authenticated session context, potentially altering in-progress workflows or authorization state.
• Affects both the local browser session scope and downstream connected systems, as the CVSS vector indicates high impact to both victim and subsequent system confidentiality and integrity.