How is CVE-2026-45175 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable component. Authentication (required): Any low-privilege local account is sufficient to attempt the bypass; no administrative credentials are needed. Victim interaction (not-required): No action from another user or victim is required to exploit this vulnerability. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or environmental prerequisites identified in the CVSS vector.

What is the impact of CVE-2026-45175?

Reads sensitive data accessible to the privilege manager agent, including credentials or policy configurations protected by the agent's cryptographic controls. Modifies agent policy state or persisted configuration, undermining privilege enforcement decisions made by the endpoint manager. Crashes or disrupts the privilege manager agent process, disabling endpoint privilege enforcement on the affected host.

Back to search

HIGHCVE-2026-45175Published 2026-06-11Modified 2026-06-13CNA palo_alto

CVE-2026-45175: Idira Endpoint Privilege Manager Agent: Security Control and Cryptographic Validation Bypass in Internal Agent Validation Processes

Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in security controls or cryptographic validations. Under specific circumstances, this could allow the attacker to circumvent agent self-defense mechanisms and execute unauthorized operations. CyberArk Security Bulletin: CA26-19

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 26.5
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper access control vulnerability affects the Idira Endpoint Privilege Manager Agent, a local privilege management component from CyberArk Software. A local attacker with a low-privilege account can bypass built-in security controls or cryptographic validations within the agent's internal validation processes, circumventing agent self-defense mechanisms and executing unauthorized operations with elevated access. A patched-image rebuild at version 26.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45175 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle the Idira Endpoint Privilege Manager Agent. Coverage applies to images in both connected registries and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.5 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage routing directs findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at version 26.5 becomes available on HarborGuard for any image found to include an affected Idira Endpoint Privilege Manager Agent version. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable component.
AuthenticationRequired
Any low-privilege local account is sufficient to attempt the bypass; no administrative credentials are needed.
Victim interactionNot required
No action from another user or victim is required to exploit this vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or environmental prerequisites identified in the CVSS vector.

Blast Radius

Reads sensitive data accessible to the privilege manager agent, including credentials or policy configurations protected by the agent's cryptographic controls.
Modifies agent policy state or persisted configuration, undermining privilege enforcement decisions made by the endpoint manager.
Crashes or disrupts the privilege manager agent process, disabling endpoint privilege enforcement on the affected host.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against all scanned images immediately after advisory ingestion. For images found running Idira Endpoint Privilege Manager Agent versions from 26.0 up to but not including 26.5, a rebuild at version 26.5 is available. Where auto-remediation is enabled, HarborGuard can execute a full rebuild, regression run, and open a PR against affected workloads without manual intervention; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the triage queue for engineer review. Customers who cannot immediately apply the fix may consider restricting local shell access to the agent host as a compensating control while evaluating the upgrade path to 26.5.

See how HarborGuard automates this

Fix available

26.5

Affected packages

CyberArk Software, a Palo Alto Networks Company / Idira Endpoint Privilege Manager
< 26.5 (from 26.0)

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Amber

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available