CVE-2025-49830 is a path traversal vulnerability (CWE-22) found in CyberArk Conjur's Secrets Manager (Self-Hosted) and Conjur OSS products. Conjur is widely used for secrets management and application identity in infrastructure environments. The vulnerability arises because the YAML policy parser improperly restricts pathname references when loading policies. An authenticated attacker who has the ability to load policies can craft malicious YAML that references arbitrary files on the Conjur server's filesystem. This can be leveraged to perform reconnaissance by revealing the folder structure or to include sensitive files in the policy processing workflow, potentially exposing secrets or configuration data. The flaw affects versions of Conjur OSS prior to 1.22.1 and Secrets Manager, Self-Hosted versions before 13.5.1 and 13.6.0. The vulnerability does not require user interaction or elevated privileges beyond authenticated policy loading rights, making it relatively easy to exploit once access is gained. The CVSS 4.0 base score is 7.1 (high), reflecting network attack vector, low attack complexity, no privileges required beyond authenticated policy loading, and high impact on confidentiality. No known exploits have been reported in the wild yet. The issue is fixed in Conjur OSS 1.22.1 and Secrets Manager 13.5.1 and 13.6.1. Organizations using affected versions should apply these updates promptly to mitigate the risk.

For European organizations, this vulnerability poses a significant risk to the confidentiality of secrets and sensitive configuration data managed by CyberArk Conjur. Since Conjur is often deployed in critical infrastructure, financial services, and government sectors for secrets management, exploitation could lead to unauthorized disclosure of credentials, API keys, or other sensitive information. This could facilitate further lateral movement, privilege escalation, or data breaches. The ability to perform reconnaissance on the server's directory structure also aids attackers in crafting more targeted attacks. Given the network-exploitable nature and the lack of required user interaction, the threat is considerable in environments where Conjur is deployed without strict access controls. The impact is heightened in European organizations subject to GDPR and other data protection regulations, as exposure of secrets could lead to compliance violations and financial penalties.

European organizations should immediately verify their Conjur deployment versions and upgrade to Conjur OSS 1.22.1 or later, or Secrets Manager, Self-Hosted 13.5.1 or 13.6.1 or later. Until patches are applied, restrict policy loading permissions to the minimum necessary users and service accounts, and monitor policy load activities for suspicious or unexpected YAML files. Implement network segmentation and access controls to limit who can authenticate and load policies on the Conjur server. Employ rigorous logging and alerting on policy load operations to detect potential exploitation attempts. Additionally, conduct a thorough audit of existing policies and server files to identify any unauthorized inclusions or anomalies. Consider deploying runtime application self-protection (RASP) or Web Application Firewall (WAF) rules to detect and block path traversal attempts targeting the policy loading interface. Finally, integrate vulnerability management processes to ensure timely patching of Conjur and related infrastructure components.