CVE-2026-45170

Vulnerability

Idira Privilege Cloud Connector versions prior to 1.1.100504 contain a TLS certificate validation enforcement issue [1]. Under specific conditions and configuration scenarios, the connector may not fully validate TLS certificates, potentially allowing an attacker to present a malicious certificate [1]. The affected versions are those before 1.1.100504 [1].

Exploitation

An attacker positioned to intercept network traffic between the connector and its communication endpoints could exploit the weak certificate validation [1]. No authentication or user interaction is required beyond the specific configuration scenarios that disable full certificate validation [1]. The attacker would need to serve a crafted TLS certificate to the connector during a handshake.

Impact

If successfully exploited, an attacker could perform a man-in-the-middle attack, leading to disclosure of sensitive information transmitted over the supposedly protected channel [1]. The compromise could also potentially allow the attacker to impersonate legitimate services, impacting integrity and availability of communications. The scope is limited to the data flowing through the connector [1].

Mitigation

Upgrade to Idira Privilege Cloud Connector version 1.1.100504 or later, which addresses the TLS certificate validation issue [1]. As no workaround is documented in the available references, upgrading is the recommended course of action. The vulnerability is not currently listed in CISA KEV.