{"id":"CVE-2025-49831","summary":"Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) vulnerable to IAM Authenticator Bypass via Mis-configured Network Device","details":"An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.","aliases":["GHSA-952q-mjrf-wp5j"],"modified":"2026-04-10T05:29:39.716977Z","published":"2025-07-15T20:10:35.367Z","database_specific":{"cwe_ids":["CWE-287"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49831.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/07/16/7"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/08/08/1"},{"type":"WEB","url":"https://github.com/cyberark/conjur/releases/tag/v1.22.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49831.json"},{"type":"ADVISORY","url":"https://github.com/cyberark/conjur/security/advisories/GHSA-952q-mjrf-wp5j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49831"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cyberark/conjur","events":[{"introduced":"0"},{"fixed":"66b9accd4273440017670b68566998c7945fb113"}]}],"versions":["1.2.0","delete","v0.2.0","v0.3.0","v0.6.0","v0.7.0","v0.8.0","v0.8.1","v0.9.0","v1.0.0","v1.0.1","v1.1.0","v1.1.1","v1.1.2","v1.10.0","v1.11.0","v1.11.1","v1.11.2","v1.11.3","v1.11.4","v1.11.5","v1.11.6","v1.11.7","v1.12.0","v1.13.0","v1.13.1","v1.14.0","v1.14.1","v1.14.2","v1.15.0","v1.16.0-2224","v1.16.0-2233","v1.16.0-2238","v1.16.0-2258","v1.16.0-2264","v1.16.0-2265","v1.16.0-2266","v1.16.0-2271","v1.16.0-2280","v1.16.0-2281","v1.16.0-2286","v1.17.0-2299","v1.17.1-2301","v1.17.1-2305","v1.17.1-2306","v1.17.1-2307","v1.17.1-2312","v1.17.1-2314","v1.17.2-2321","v1.17.2-2323","v1.17.2-2324","v1.17.2-2330","v1.17.2-2341","v1.17.2-2371","v1.17.2-2380","v1.17.2-2401","v1.17.2-2408","v1.17.2-2468","v1.17.2-2477","v1.17.3","v1.17.3-2478","v1.17.3-2484","v1.17.3-2498","v1.17.4-2500","v1.17.5-2503","v1.17.5-2515","v1.17.5-2521","v1.17.6","v1.17.6-2525","v1.17.6-2555","v1.17.6-2562","v1.17.6-2571","v1.17.6-2585","v1.17.7","v1.17.7-2648","v1.17.7-2653","v1.17.7-2670","v1.17.7-2695","v1.17.7-2705","v1.17.7-2710","v1.17.7-2766","v1.17.7-2782","v1.17.7-2785","v1.17.8-2829","v1.18.0","v1.18.0-2834","v1.18.0-2837","v1.18.0-2845","v1.18.0-2856","v1.18.0-2864","v1.18.0-2871","v1.18.0-2891","v1.18.0-2893","v1.18.0-2902","v1.18.1","v1.18.1-2924","v1.18.1-2928","v1.18.1-2953","v1.18.1-2957","v1.18.1-2961","v1.18.1-2963","v1.18.1-2969","v1.18.2","v1.18.2-3025","v1.18.2-3030","v1.18.3","v1.18.3-3057","v1.18.4","v1.18.4-3067","v1.18.5-3122","v1.18.5-3123","v1.18.5-3165","v1.18.5-3170","v1.18.5-3183","v1.18.5-3187","v1.19.0","v1.19.0-3227","v1.19.0-3228","v1.19.0-3239","v1.19.0-3243","v1.19.0-3276","v1.19.0-3290","v1.19.0-3292","v1.19.0-3294","v1.19.1","v1.19.1-3316","v1.19.1-3320","v1.19.1-3325","v1.19.1-3334","v1.19.1-3355","v1.19.1-3387","v1.19.1-3394","v1.19.1-3398","v1.19.2","v1.19.2-3426","v1.19.2-3431","v1.19.3","v1.19.3-3458","v1.19.3-3474","v1.19.3-3475","v1.19.3-3483","v1.19.3-3494","v1.19.3-3517","v1.19.3-3518","v1.19.3-3528","v1.19.3-3529","v1.19.3-3568","v1.19.3-3584","v1.19.3-3597","v1.19.3-3602","v1.19.3-3603","v1.19.3-3606","v1.19.3-3614","v1.19.3-3615","v1.19.3-3619","v1.19.3-3622","v1.19.3-3632","v1.19.3-3638","v1.19.3-3645","v1.19.3-3646","v1.19.3-3648","v1.19.3-3651","v1.19.3-3676","v1.19.3-3685","v1.19.3-3690","v1.19.4-3759","v1.19.4-3763","v1.19.5","v1.19.5-3765","v1.19.5-3796","v1.19.5-3797","v1.19.5-3798","v1.19.5-3859","v1.19.5-3864","v1.19.5-3900","v1.19.5-3903","v1.19.5-3905","v1.19.5-3906","v1.19.5-3911","v1.19.5-3915","v1.19.6-3948","v1.19.6-3949","v1.19.6-3954","v1.19.6-3955","v1.19.6-3960","v1.19.6-3961","v1.19.6-3968","v1.19.6-3969","v1.19.6-3974","v1.19.6-3979","v1.19.6-3984","v1.19.6-3985","v1.19.6-3989","v1.19.6-3990","v1.19.6-3994","v1.19.6-3999","v1.19.6-4000","v1.19.6-4003","v1.19.6-4004","v1.19.6-4016","v1.19.6-4019","v1.19.6-4023","v1.19.6-4027","v1.19.6-4037","v1.19.6-4038","v1.19.6-4040","v1.19.6-4041","v1.19.6-4045","v1.19.6-4046","v1.19.6-4050","v1.19.6-4056","v1.19.6-4060","v1.19.6-4061","v1.19.6-4065","v1.19.6-4066","v1.2.0","v1.20.0","v1.20.0-4069","v1.20.0-4071","v1.20.0-4072","v1.20.0-4076","v1.20.0-4077","v1.20.0-4083","v1.20.0-4088","v1.20.0-4095","v1.20.0-4104","v1.20.0-4105","v1.20.0-4107","v1.20.0-4115","v1.20.0-4125","v1.20.0-4126","v1.20.0-4127","v1.20.0-4131","v1.20.0-4132","v1.20.0-4153","v1.20.0-4157","v1.20.0-4161","v1.20.0-4164","v1.20.0-4177","v1.20.0-4180","v1.20.0-4183","v1.20.0-4187","v1.20.0-4191","v1.20.0-4198","v1.20.0-4212","v1.20.0-4214","v1.20.0-4218","v1.20.0-4219","v1.20.0-4222","v1.20.0-4223","v1.20.0-4224","v1.20.0-4229","v1.20.0-4230","v1.20.0-4231","v1.20.0-4238","v1.20.0-4249","v1.20.0-4250","v1.20.0-4255","v1.20.0-4256","v1.20.0-4262","v1.20.1-4353","v1.20.1-4362","v1.20.1-4368","v1.20.1-4372","v1.20.1-4377","v1.20.1-4378","v1.20.1-4383","v1.20.1-4385","v1.20.1-4395","v1.20.1-4400","v1.20.1-4404","v1.20.1-4405","v1.21.2","v1.21.3","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.6","v1.4.7","v1.5.0","v1.5.1","v1.6.0","v1.7.0","v1.7.1","v1.7.2","v1.7.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49831.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}