CVE-2026-45169
Description
A validation vulnerability in Idira PAM Self-Hosted Vault prior to fixed versions can cause a localized denial of service under specific conditions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A validation vulnerability in Idira PAM Self-Hosted Vault prior to fixed versions can cause a localized denial of service under specific conditions.
Vulnerability
A validation vulnerability exists in the Idira Privileged Access Manager (PAM) Self-Hosted Vault component. Under specific circumstances and configuration scenarios, processing unexpected input can lead to an unexpected service termination, resulting in a localized denial of service (DoS). Affected versions are those prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 [1][2][3][4].
Exploitation
An attacker with network access to the Vault service can send crafted input that triggers the validation flaw. The exact prerequisites are not detailed, but the vulnerability is reachable under specific configuration scenarios. No authentication is explicitly required, though the attack surface may depend on the deployment's exposure.
Impact
Successful exploitation causes the Vault service to terminate unexpectedly, resulting in a localized denial of service. This disrupts availability of the privileged access management functionality but does not affect other components or data integrity.
Mitigation
CyberArk has released fixed versions: 15.0.3, 14.6.5, 14.2.7, and 14.0.8 [1][2][3][4]. Users should upgrade to the appropriate patched version. No workarounds have been published, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <15.0.3, <14.6.5, <14.2.7, <14.0.8
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-0-8.htmnvd
- docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-2-7.htmnvd
- docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-6-vault.htmnvd
- docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew15-0-vault.htmnvd
News mentions
0No linked articles in our index yet.