CVE-2026-45178

Vulnerability

An improper access control vulnerability exists in the internal cluster endpoints of Idira Secrets Manager Self-Hosted versions 13.8.0 and lower. The flaw allows a remote, authenticated attacker with standard node-level credentials to interact with endpoints that should be restricted. The affected code path is reachable when the attacker possesses valid credentials for a cluster node, which are typically used for inter-node communication.

Exploitation

An attacker must have network access to the cluster and possess standard node-level credentials (e.g., a node token or certificate). With these, the attacker can send crafted requests to internal cluster endpoints that lack proper authorization checks. No additional user interaction is required; the attack can be performed remotely over the network.

Impact

Successful exploitation enables the attacker to retrieve unauthorized secrets stored in the Secrets Manager or cause a denial of service (DoS) by disrupting cluster operations. The attacker gains access to sensitive data at the privilege level of a node, which may include secrets intended for other nodes or applications.

Mitigation

The vulnerability is fixed in version 13.8.1, released on or before June 11, 2026 [1]. Users should upgrade to 13.8.1 or later. No workarounds are documented in the available references. If upgrading is not immediately possible, restrict network access to cluster endpoints and monitor for anomalous node-level requests.