On July 15, 2025, CyberArk disclosed 5 vulnerabilities in our Conjur OSS product.
* CVE-2025-49827<https://www.cve.org/CVERecord?id=CVE-2025-49827> - Critical - Bypass of IAM Authenticator in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75>) * CVE-2025-49828<https://www.cve.org/CVERecord?id=CVE-2025-49828> - High - Remote Code Execution in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-93hx-v9pv-qrm4>) * CVE-2025-49829<https://www.cve.org/CVERecord?id=CVE-2025-49829> - Medium - Missing validations in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-9w76-m74g-4c2r>) * CVE-2025-49830<https://www.cve.org/CVERecord?id=CVE-2025-49830> - High - Path traversal and file disclosure in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-7m6h-fqrm-m9c5>) * CVE-2025-49831<https://www.cve.org/CVERecord?id=CVE-2025-49831> - Critical - IAM Authenticator Bypass via Mis-configured Network Device in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-952q-mjrf-wp5j>) All users of Conjur OSS are encouraged to update to the 1.22.1 release, available on DockerHub<https://hub.docker.com/layers/cyberark/conjur/1.22.1/images/sha256-331fecd01c5a8a6179165bedba57b85f7cd1283b6b2a9a4f29fcb1e7a92580b3> and at the GitHub.com Conjur 1.22.1 release<https://github.com/cyberark/conjur/releases/tag/v1.22.1>. These issues also affect our Secrets Manager, Self-Hosted (formerly Conjur Enterprise) product and have been disclosed to our customers in our security bulletin CA25-22<https://www.cyberark.com/CA25-22>. For further information, please see our blog post<https://www.cyberark.com/resources/product-insights-blog/addressing-recent-vulnerabilities-and-our-commitment-to-security>.
