Critical Vulnerability Information Vulnerability Title IAM Authenticator Bypass via Mis-configured Network Device in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS Vulnerability Severity Level: Critical CVSS v4 Base Score: 9.1 / 10 Affected Versions Conjur OSS (CyberArk): < 1.22.1 Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) (CyberArk): < 13.5.1; 13.6 Fixed Versions Conjur OSS (CyberArk): 1.22.1 Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) (CyberArk): 13.5.1; 13.6.1 Description Attackers can redirect traffic from Secrets Manager to AWS through a misconfigured network device to a malicious server under their control, thereby bypassing authentication requests. Although CyberArk considers this issue to affect few installations, both Secrets Manager, Self-Hosted and Conjur OSS are potentially impacted. CVSS v4 Base Metrics Attack Vector: Network Attack Complexity: Low Attack Requirements: Present Required Privileges: None User Interaction: None Affected System Impact Metrics: - Confidentiality: High - Integrity: High - Availability: None Secondary System Impact Metrics: - Confidentiality: None - Integrity: None - Availability: None CVE ID CVE-2025-49831 Weakness No CWEs