CyberArk Identity sanagement solutions
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any CyberArk product.
RSS Feeds for CyberArk security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in CyberArk products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by CyberArk Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 1 vulnerability in CyberArk with an average score of 7.8 out of ten. Last year, in 2025 CyberArk had 11 security vulnerabilities published. Right now, CyberArk is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.70.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.80 |
| 2025 | 11 | 6.10 |
| 2024 | 4 | 4.85 |
| 2023 | 1 | 7.80 |
| 2022 | 2 | 6.55 |
| 2021 | 4 | 5.58 |
| 2020 | 3 | 5.70 |
| 2019 | 4 | 8.80 |
| 2018 | 4 | 7.58 |
It may take a day or so for new CyberArk vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent CyberArk Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-66374 | Feb 03, 2026 |
CVE-2025-66374: Priv Escalation in CyberArk EPMA 25.10.0 via Admin Task PolicyCyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task. |
Endpoint Privilege Manager
|
| CVE-2025-13762 | Nov 27, 2025 |
CVE-2025-13762: CYBERARK SWS EXTENSION<2.2.30305 IMP INPUT VAL DOSImproper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305. |
|
| CVE-2025-49831 | Jul 15, 2025 |
Secrets Manager Self-hosted Network Misrouting CVE-2025-49831 (Unpatched <13.6.1)An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attackers control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. |
|
| CVE-2025-49830 | Jul 15, 2025 |
Conjur (<13.5.1/13.6.1/1.22.1) YAML File Inclusion via Policy ParserConjur provides secrets management and application identity for infrastructure. An authenticated attacker who is able to load policy can use the policy yaml parser to reference files on the Secrets Manager, Self-Hosted server. These references may be used as reconnaissance to better understand the folder structure of the Secrets Manager/Conjur server or to have the yaml parser include files on the server in the yaml that is processed as the policy loads. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. |
|
| CVE-2025-49829 | Jul 15, 2025 |
Conjur Secrets Manager injection & permission bypass before 13.6.1 & 1.22.1Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. |
|
| CVE-2025-49828 | Jul 15, 2025 |
Conjur RCE via Exposed API (1.19.5–1.21.1,13.1–13.4.1)Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue. |
|
| CVE-2025-49827 | Jul 15, 2025 |
Conjur IAM Authenticator Bypass (OSS v<1.22.1, SM v<13.6.1)Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipulate the headers signed by AWS can take advantage of a malformed regular expression to redirect the authentication validation request that Secrets Manager, Self-Hosted sends to AWS to a malicious server controlled by the attacker. This redirection could result in a bypass of the Secrets Manager, Self-Hosted IAM Authenticator, granting the attacker the permissions granted to the client whose request was manipulated. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. |
|
| CVE-2025-22270 | Feb 28, 2025 |
CyberArk EPManager 24.7.1 Role Name XSS via Admin PanelAn attacker with access to the Administration panel, specifically the "Role Management" tab, can inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which mitigates JS code execution while still allowing HTML injection. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer. |
Endpoint Privilege Manager
|
| CVE-2025-22274 | Feb 28, 2025 |
CyberArk Endpoint Privilege Manager SaaS 24.7.1: Content Field HTML InjectionIt is possible to inject HTML code into the page content using the "content" field in the "Application definition" page. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer. |
Endpoint Privilege Manager
|
| CVE-2025-22273 | Feb 28, 2025 |
CyberArk EPM 24.7.1 – Unrestricted Brute Force to /ChangePasswordApplication does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint it is possible to perform a brute force attack on the current password in use. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer. |
Endpoint Privilege Manager
|
| CVE-2025-22271 | Feb 28, 2025 |
IP Address Spoofing via XFF Header in CyberArk EPM SaaS 24.7.1The application or its infrastructure allows for IP address spoofing by providing its own value in the "X-Forwarded-For" header. Thus, the action logging mechanism in the application loses accountability This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer. |
Endpoint Privilege Manager
|
| CVE-2024-54840 | Feb 03, 2025 |
PVWA <14.4 Host Header Injection VulnerabilityPVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. |
Privileged Access Manager
|
| CVE-2024-42340 | Aug 25, 2024 |
CyberArk Password Vault: ClientSide Enforcement Bypass (CVE202442340)CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security |
Identity
|
| CVE-2024-42337 | Aug 25, 2024 |
CyberArk Sensitive Info Exposure (CWE-200)CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
Identity
|
| CVE-2024-42338 | Aug 25, 2024 |
CyberArk Sensitive Info Exposure (CWE-200) to Unauthorized ActorsCyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
Identity
|
| CVE-2024-42339 | Aug 25, 2024 |
CVE-2024-42339 CyberArk PAS: Sensitive Data Exposure (CWE-200)CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
Identity
|
| CVE-2017-11197 | May 03, 2023 |
CyberArk Viewfinity Priv Esc via Add Printer (5.5.10.95/6.x pre6.1.1.220)In CyberArk Viewfinity 5.5.10.95 and 6.x before 6.1.1.220, a low privilege user can escalate to an administrative user via a bug within the "add printer" option. |
Viewfinity
|
| CVE-2022-22700 | Mar 03, 2022 |
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant. |
Identity
|
| CVE-2021-44049 | Jan 15, 2022 |
CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 2021-12-20CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 2021-12-20 allows a local user to gain elevated privileges via a Trojan horse Procmon64.exe in the user's Temp directory. |
Endpoint Privilege Manager
|
| CVE-2021-31796 | Sep 02, 2021 |
An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information DisclosureAn inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36. |
Credential Provider
|
| CVE-2021-31798 | Sep 02, 2021 |
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious userThe effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files. |
Credential Provider
|
| CVE-2021-31797 | Sep 02, 2021 |
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race conditionThe user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure. |
Credential Provider
|
| CVE-2021-37151 | Sep 01, 2021 |
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is validCyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords. |
Identity
|
| CVE-2020-25738 | Nov 27, 2020 |
CyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows attackers to bypass a Credential Theft protection mechanism by injecting a DLL into a processCyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows attackers to bypass a Credential Theft protection mechanism by injecting a DLL into a process that normally has credential access, such as a Chrome process that reads credentials from a SQLite database. |
Endpoint Privilege Manager
|
| CVE-2020-25374 | Oct 28, 2020 |
CyberArk Privileged Session Manager (PSM) 10.9.0.15CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. |
Privileged Session Manager
|
| CVE-2020-4062 | Jun 22, 2020 |
In Conjur OSS Helm Chart before 2.0.0In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. Hence, the systems impacted are only Conjur OSS systems that were deployed using this chart. Other deployments including Docker and the CyberArk Dynamic Access Provider (DAP) are not affected. To remediate this vulnerability, clone the latest Helm Chart and follow the upgrade instructions. If you are not able to fully remediate this vulnerability immediately, you can mitigate some of the risk by making sure Conjur OSS is deployed on an isolated Kubernetes cluster or namespace. The term "isolated" refers to: - No other workloads besides Conjur OSS and its backend database are running in that Kubernetes cluster/namespace. - Kubernetes and helm access to the cluster/namespace is limited to security administrators via Role-Based Access Control (RBAC). |
Conjur Oss Helm Chart
|
| CVE-2019-3800 | Aug 05, 2019 |
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flagCF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. |
Conjur Service Broker
|
| CVE-2019-7442 | May 08, 2019 |
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system. |
Enterprise Password Vault
|
| CVE-2018-14894 | Apr 09, 2019 |
CyberArk Endpoint Privilege Manager 10.2.1.603 and earlierCyberArk Endpoint Privilege Manager 10.2.1.603 and earlier allows an attacker (who is able to edit permissions of a file) to bypass intended access restrictions and execute blocked applications. |
Endpoint Privilege Manager
|
| CVE-2019-9627 | Mar 08, 2019 |
A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path. |
Endpoint Privilege Manager
|
| CVE-2018-13052 | Jul 05, 2018 |
In CyberArk Endpoint Privilege Manager (formerly Viewfinity), Privilege Escalation is possible if the attacker has one processIn CyberArk Endpoint Privilege Manager (formerly Viewfinity), Privilege Escalation is possible if the attacker has one process that executes as Admin. |
Endpoint Privilege Manager
|
| CVE-2018-12903 | Jun 26, 2018 |
In CyberArk Endpoint Privilege Manager (formerly Viewfinity) 10.2.1.603, there is persistent XSSIn CyberArk Endpoint Privilege Manager (formerly Viewfinity) 10.2.1.603, there is persistent XSS via an account name on the create token screen, the VfManager.asmx SelectAccounts->DisplayName screen, a user's groups in ConfigurationPage, the Dialog Title field, and App Group Name in the Application Group Wizard. |
Endpoint Privilege Manager
|
| CVE-2018-9842 | Apr 12, 2018 |
CyberArk Password Vault before 9.7CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message. |
Password Vault
|
| CVE-2018-9843 | Apr 12, 2018 |
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header. |
Password Vault
|