HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45176Published Modified CNA palo_alto

CVE-2026-45176: Idira Endpoint Privilege Manager Agent: Local Privilege Escalation via Internal Communication or File Operation Manipulation

Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19

Metrics

CVSS v4.0
8.9
Severity
HIGH
Fixed in
26.5
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A local privilege escalation vulnerability affects Idira Endpoint Privilege Manager Agent versions from 26.0 up to (but not including) 26.5. An attacker who already has a low-privileged foothold on the host can manipulate an internal communication mechanism or file operation within a high-privileged agent component to bypass permission restrictions and execute arbitrary actions with elevated privileges. No network access or authentication is required beyond the existing local session. A patched-image rebuild at version 26.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45176 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package the Idira Endpoint Privilege Manager Agent. Any image containing an affected version (26.0 to below 26.5) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at 8.9 HIGH using the CVSS v4.0 vector and weights findings against each customer environment's compliance policy, escalating findings to the appropriate team inbox within that org. Per-environment policy configuration determines whether findings are routed as blocking pipeline failures or advisory notifications.

Available
Patch

A patched-image rebuild at Idira Endpoint Privilege Manager Agent version 26.5 becomes available on HarborGuard for images confirmed to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing exposure is required to reach the vulnerable component.

  • AuthenticationNot required

    No authentication credential is required beyond the attacker's existing low-privileged local session, which is treated as the starting condition rather than a barrier.

  • Victim interactionNot required

    Exploitation is fully attacker-driven; no action by another user or administrator is needed to trigger the vulnerability.

  • Attack complexityDetail

    Attack complexity is rated High, meaning exploitation depends on specific environmental circumstances such as timing, file-system state, or internal IPC conditions that the attacker cannot fully control on demand.

Blast Radius

  • Reads sensitive data from the local system with full privileged-process visibility, including credentials, configuration files, and secrets accessible to the agent.
  • Modifies files, registry entries, or application state on the host with elevated privileges, potentially altering security policy enforcement enforced by the agent itself.
  • Crashes or disrupts the Endpoint Privilege Manager Agent service, disabling privilege-control enforcement on the affected host.
  • Achieves lateral movement potential by leveraging elevated local privileges to access credentials or tokens reachable only by high-privileged processes.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patch readiness for CVE-2026-45176 are all available without manual configuration. For any image containing Idira Endpoint Privilege Manager Agent below version 26.5, HarborGuard flags the finding within minutes of publication and scores it at 8.9 HIGH. Where compliance policy permits, auto-remediation customers receive a rebuilt image at version 26.5, a regression-test run against the new image, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because this is a local privilege escalation with no network requirement, customers who cannot immediately patch should consider applying host-level process isolation controls, restricting which container identities can mount or write to paths accessed by the agent, and reviewing least-privilege policies for any workload bundling this component. HarborGuard continues re-evaluating images against the 26.5 fix baseline on every ingest cycle.

See how HarborGuard automates this

Fix available

26.5
Affected packages
  • CyberArk Software, a Palo Alto Networks Company / Idira Endpoint Privilege Manager
    < 26.5 (from 26.0)
CVSS Vector
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber
References