CVE-2026-45178
Analyzed Analyzed - Analysis Complete

Improper Access Control in Idira Secrets Manager Self-Hosted

Vulnerability report for CVE-2026-45178, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-22

Assigner: Palo Alto Networks, Inc.

Description

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-22
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
paloaltonetworks idira_secrets_manager From 13.0 (inc) to 13.8.1 (exc)
paloaltonetworks idira_secrets_manager_credential_providers From 14.0 (inc) to 14.2.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower have improper access control in their internal cluster endpoints.

A remote, authenticated attacker with standard node-level credentials can exploit these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS).

Impact Analysis

This vulnerability can allow an attacker to access sensitive secrets without proper authorization, which could lead to data breaches or unauthorized access to critical systems.

Additionally, the attacker could cause a denial of service (DoS), disrupting the availability of the Secrets Manager service.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Idira Secrets Manager Self-Hosted to version 13.8.1 or later, which includes security updates addressing the issues described in security bulletin CA26-20.

  • Install version 13.8.1 of Secrets Manager - Self-Hosted as it resolves multiple security issues.
  • Remove support for HTTP POST requests to the /authn-oidc endpoint as part of the update.
  • Ensure the Kubernetes Follower host has an authn/api-key value set in its Secrets Manager policy.
  • Verify that roles retrieving the Kubernetes Follower seed have execute permission on the web service.

Review the release notes and documentation for any behavior changes and installation or upgrade instructions before applying the update.

Compliance Impact

The vulnerability in Idira Secrets Manager Self-Hosted versions 13.8.0 and lower involves improper access control that could allow a remote, authenticated attacker with node-level credentials to retrieve unauthorized secrets or cause a denial of service. Such unauthorized access to sensitive secrets could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive information.

By potentially exposing confidential secrets, this vulnerability increases the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these standards. Organizations using affected versions may face challenges in maintaining compliance until the vulnerability is remediated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45178. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart