Privilege Escalation / RCE in Idira (CyberArk) Privileged Session Manager (PSM) — CVE-2026-45171

critical-cve-against-infra · active

A flaw in Idira/CyberArk Privileged Session Manager (PSM) — caused by incomplete input validation and improperly configured folder permissions — could let an authenticated, low-privileged user execute arbitrary code. Affected versions should be upgraded to the fixed releases (15.0.3, 14.6.3, 14.2.5, or 14.0.5).

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-g3c5-h5qv-px3q
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-45171
• google-searchhttps://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-0-5.htm
• google-searchhttps://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-2-5.htm
• google-searchhttps://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-6-psm.htm#14.6.3
• google-searchhttps://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew15-0-psm.htm#15.0.3