Unrated severityNVD Advisory· Published Jul 15, 2025· Updated Nov 4, 2025

Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) vulnerable to IAM Authenticator Bypass via Mis-configured Network Device

CVE-2025-49831

Description

An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Affected products

Cyber Ark/Secrets Manager, Self-Hostedllm-create
Range: <13.5.1, <13.6.1
Cyber Ark/Conjur OSSllm-create
Range: <1.22.1
cyberark/conjurv5
Range: Conjur OSS < 1.22.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cyberark/conjur/releases/tag/v1.22.1mitrex_refsource_MISC
github.com/cyberark/conjur/security/advisories/GHSA-952q-mjrf-wp5jmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000