CVE-2026-45172
Received
Received - Intake
Authenticated Command Injection in Idira Privileged Session Manager for SSH
Publication date: 2026-06-11
Last updated on: 2026-06-11
Assigner: Palo Alto Networks, Inc.
Description
Description
Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cyberark | idira_privileged_session_manager | to 15.0.2 (exc) |
| cyberark | idira_privileged_session_manager | to 14.6.3 (exc) |
| cyberark | idira_privileged_session_manager | to 14.2.5 (exc) |
| cyberark | idira_privileged_session_manager | to 14.0.6 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
