CVE-2026-45177

Vulnerability

Idira Secrets Manager SaaS Edge versions prior to 1.8 contain an improper access control vulnerability within internal authentication components. A remote, unauthenticated attacker can exploit this by submitting a specially crafted request to manipulate internal validation mechanisms, potentially bypassing identity verification and acquiring an unauthorized access token. [1]

Exploitation

An attacker with network access to the affected service can send a crafted request without any prior authentication. The request targets internal authentication validation logic, and under specific circumstances, the manipulation succeeds in bypassing identity checks. No user interaction or special privileges are required.

Impact

Successful exploitation allows the attacker to obtain an access token, effectively impersonating a legitimate user or service. This could lead to unauthorized access to secrets managed by the system, resulting in information disclosure and potential compromise of downstream systems.

Mitigation

The vulnerability is fixed in version 1.8 of Idira Secrets Manager SaaS Edge. Users should upgrade to version 1.8 or later. The fix was released as part of the May 13, 2026 update [1]. No workarounds are documented in the available references.