Back to KEVs

CVE-2025-49831

Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) vulnerable to IAM Authenticator Bypass via Mis-configured Network Device

Basic Information

CVE State
PUBLISHED
Reserved Date
June 11, 2025
Published Date
July 15, 2025
Last Updated
November 04, 2025
Vendor
cyberark
Product
conjur
Description
An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

CVSS Scores

CVSS v4.0

9.1 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC Information

Exploitation
none
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:37:00 UTC) Source

References

https://github.com/cyberark/conjur/security/advisories/GHSA-952q-mjrf-wp5j https://github.com/cyberark/conjur/releases/tag/v1.22.1

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:37:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel