CVE-2026-45172 | THREATINT

Description

Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18

PUBLISHED Reserved 2026-05-08 | Published 2026-06-11 | Updated 2026-06-13 | Assigner palo_alto

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/U:Amber

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command

Product status

Default status

unaffected

14.0 (custom) before 14.0.6

affected

14.2 (custom) before 14.2.5

affected

14.6 (custom) before 14.6.3

affected

15.0 (custom) before 15.0.2

affected

Timeline

2026-06-11:

Initial publication.

Credits

Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue finder

References

docs.cyberark.com/.../release notes/rn-whatsnew15-0-psmp.htm vendor-advisory

docs.cyberark.com/.../release notes/rn-whatsnew14-6-psmp.htm vendor-advisory

docs.cyberark.com/...ent/release notes/rn-whatsnew14-2-5.htm vendor-advisory

docs.cyberark.com/...ent/release notes/rn-whatsnew14-0-6.htm vendor-advisory

cve.org (CVE-2026-45172)

nvd.nist.gov (CVE-2026-45172)

Download JSON

help @ threatint.eu