How is CVE-2026-45174 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the target is required. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrator or root credentials to trigger the vulnerability. Victim interaction (not-required): No action from another user or administrator is needed; the attacker can exploit the flaw unilaterally. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental configuration are required.

What is the impact of CVE-2026-45174?

Reads sensitive data managed or protected by the privilege-manager agent, including credentials and policy configuration stored on the host. Writes to or tampers with agent-controlled files and policy state, allowing privilege escalation or policy suppression. Disrupts agent daemon availability, disabling endpoint privilege controls and leaving the host unprotected.

Back to search

HIGHCVE-2026-45174Published 2026-06-11Modified 2026-06-13CNA palo_alto

CVE-2026-45174: Idira Endpoint Privilege Manager Linux Agent: Potential bypass of Agent Daemon Initialization

Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 26.5
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass (agent daemon initialization bypass) affects the Idira Endpoint Privilege Manager Linux Agent in versions 26.0 through 26.4. The vulnerability is exploited locally by an attacker who already holds a low-privilege account on the host, requiring no network access and no interaction from another user. Successful exploitation gives the attacker full read, write, and availability impact on the host, effectively compromising the privilege-management agent itself. A patched-image rebuild at version 26.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images and pipeline artifacts, including internally built images that bundle the Idira Linux Agent. No manual feed configuration is required to gain coverage.

Available

Triage

HarborGuard scores this finding at CVSS 8.5 HIGH using the published v4.0 vector and weights it against each environment's compliance policy to determine routing priority. Findings are dispatched to the appropriate team inbox within each customer organization based on policy-defined severity thresholds and ownership rules.

Available

Patch

A patched-image rebuild at version 26.5 becomes available on HarborGuard for any image found to contain an affected version of the Idira Linux Agent. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or root credentials to trigger the vulnerability.
Victim interactionNot required
No action from another user or administrator is needed; the attacker can exploit the flaw unilaterally.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental configuration are required.

Blast Radius

Reads sensitive data managed or protected by the privilege-manager agent, including credentials and policy configuration stored on the host.
Writes to or tampers with agent-controlled files and policy state, allowing privilege escalation or policy suppression.
Disrupts agent daemon availability, disabling endpoint privilege controls and leaving the host unprotected.

How HarborGuard Handles This

Available on HarborGuard: any image containing Idira Endpoint Privilege Manager Linux Agent versions 26.0 through 26.4 is flagged immediately upon scan, scored at CVSS 8.5 HIGH, and queued for remediation review. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at version 26.5, runs regression checks, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with the fix version clearly indicated so engineering teams can act manually. Because this vulnerability requires local access, customers who cannot patch immediately should consider restricting which users can obtain a shell on affected hosts and auditing local account provisioning as a compensating control.

See how HarborGuard automates this

Fix available

26.5

Affected packages

CyberArk Software, a Palo Alto Networks Company / Idira Endpoint Privilege Manager
< 26.5 (from 26.0)

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber

References

docs.cyberark.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available