HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45178Published Modified CNA palo_alto

CVE-2026-45178: Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20

Metrics

CVSS v4.0
8.4
Severity
HIGH
Fixed in
13.8.1
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Improper access control in Idira Secrets Manager Self-Hosted (CyberArk Conjur Enterprise) allows a remote, authenticated attacker with standard node-level credentials to reach internal cluster endpoints that should be inaccessible to ordinary users. The attacker must authenticate over the network but needs only a low-privilege account, with no user interaction required. Successful exploitation allows the attacker to read secrets stored outside their authorization scope and to partially degrade service availability. Patched-image rebuilds at versions 13.8.1 and 14.2.6 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45178 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Conjur Enterprise images, in connected registries and CI/CD pipelines. Any image running a Conjur Enterprise release in the affected ranges (13.x below 13.8.1 or 14.x below 14.2.6) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 8.4 (HIGH) and weighting it against each environment's compliance policy to determine escalation priority. Triage routing directs the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at versions 13.8.1 or 14.2.6 becomes available in HarborGuard as soon as the upstream fix is confirmed against the affected image layer. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads; where compliance policy permits, this flow completes within approximately 90 minutes of CVE publication for HIGH-severity findings.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Conjur Enterprise cluster over the network; the vulnerable endpoints are exposed remotely, making network access a prerequisite.

  • AuthenticationRequired

    Any low-privilege account with standard node-level credentials is sufficient; no administrative or elevated role is needed.

  • Victim interactionNot required

    The attacker operates entirely without any action from another user or administrator.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; no race conditions or special environmental state are required to reach the vulnerable endpoints.

Blast Radius

  • Reads secrets stored in Conjur Enterprise that the attacker's account is not authorized to access, exposing credentials, API keys, or other sensitive material held by the cluster.
  • Partially degrades service availability of the secrets manager, which can interrupt dependent workloads that rely on Conjur for runtime credential retrieval.
  • Secondary systems that consume secrets from Conjur are affected if the cluster's availability is disrupted, broadening the impact beyond the secrets manager itself.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45178 is active against all images in connected registries and pipelines, including custom-built Conjur Enterprise images, with findings scored at CVSS v4.0 8.4 HIGH. For environments running Conjur Enterprise 13.x before 13.8.1 or 14.x before 14.2.6, a patched-image rebuild at the fixed version is available. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit automated changes, the finding is routed to the appropriate team inbox with full context, including affected image tags and the relevant fix version, so engineers can act immediately.

See how HarborGuard automates this

Fix available

13.8.114.2.6
Affected packages
  • CyberArk Software, a Palo Alto Networks Company / Conjur Enterprise
    < 13.8.1 (from 13.0)
  • CyberArk Software, a Palo Alto Networks Company / Conjur Enterprise
    < 14.2.6 (from 14.0)
  • CyberArk Software, a Palo Alto Networks Company / Conjur Enterprise
    < 14.2.6 (from 14.0)
  • CyberArk Software, a Palo Alto Networks Company / Conjur Enterprise
    < 14.2.6 (from 14.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/U:Amber
References