Security Advisories
This page provides timely updates on software vulnerabilities, patches, and security-related issues that may impact our products or services. We’re committed to transparency and proactive communication to help you stay informed and protected.
Check back regularly for the latest advisories, mitigation guidance, and best practices to ensure your systems remain secure.
-
The distributed engine of Secret Server version 11.7.49 and earlier allows an attacker to impersonate another distributed engine by exploiting a vulnerability in an initial authorization event.
Affected Product and Version
Delinea Secret Server on-prem version 11.7.49 and earlierResolution
Upgrade to Secret Server version 11.7.60 or laterCVE Details
- CVE ID: CVE-2025-6942
- Published Date: July 2, 2025
- Vulnerability Type: Authorization Bypass Through User-Controlled Key
- CWE: 639
- CVSS v3 Score: 3.8
- CVSS v3 Vector: AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
-
Secret Server version 11.7.49 and earlier allows an administrator to gain access to restricted tables by exploiting a vulnerability in the SQL report creation functionality.
Affected Product and Version
Delinea Secret Server on-prem version 11.7.49 and earlierResolution
Upgrade to Secret Server version 11.7.60 or laterCVE Details
- CVE ID: CVE-2025-6943
- Published Date: July 2, 2025
- Vulnerability Type: Improper Privilege Management
- CWE: 269
- CVSS v3 Score: 3.8
- CVSS v3 Vector: AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
-
Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).
This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25.
A secret with "change password on check in" enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password.
Affected Product and Version:
Delinea Secret Server on-prem versions 11.8.1, 11.9.6, and 11.9.25Resolution:
Upgrade to Secret Server version 11.9.47 or laterThe secret will remain checked out when the password change fails.
CVE Details:
- CVE ID: CVE-2025-12810
-
Published Date: January 27, 2026
- Vulnerability Type: Improper Authentication
- CWE: 287
-
CVSS v4.0 Score: 5.3
- CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/R:A
-
Improper Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and Privileged Access Service.
If you're not using the latest Server Suite agents, this fix requires that you upgrade to Server Suite 2023.1 (agent 6.0.1) or later. If you cannot upgrade to Release 2023.1 (agent version 6.0.1) or later, you can choose one of the following versions: Server Suite release 2023.0.5 (agent version 6.0.0-158), or Server Suite release 2022.1.10 (agent version 5.9.1-337).
Affected Product and Version:
Delinea Cloud Suite and Privileged Access Service version 25.1 HF4 and earlierResolution:
Upgrade to version 25.1 HF5 or laterCVE Details:
- CVE ID: CVE-2025-12811
- Published Date: February 12, 2026
- Vulnerability Type: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
- CWE: 444
- CVSS v4.0 Score: 6.9 (Medium)
- CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- Credit: Dawid Dudek (Reporter)
- References: trust.delinea.com | Release Notes
-
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service.
Affected Product and Version:
Delinea Cloud Suite and Privileged Access Service version 23.1.2 and earlierResolution:
Upgrade to Cloud Suite version 25.1 or laterCVE Details:
- CVE ID: CVE-2025-12812
- Published Date: February 12, 2026
- Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE: 89
- CVSS v4.0 Score: 5.3 (Medium)
- CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- Credit: Dawid Dudek (Reporter)
- References: trust.delinea.com | Release Notes
-
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.
Affected Product and Version:
Cloud Suite before 25.2 HF1
Resolution:
Upgrade to Cloud Suite version 25.2 HF1 or later
CVE Details:
- CVE ID: CVE-2026-2409
- Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE: 89
- CVSS v4.0 Score: 9.3
- CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
- Credit: Jess Parker (Reporter), Radu Enachi (Reporter)
- References: Release Notes
Delinea makes no warranties of any kind, whether express, implied, statutory, or otherwise, and specifically, disclaims all warranties of fitness for a particular purpose, merchantability, accuracy of informational content, systems integration, non-infringement, non-interference with enjoyment or otherwise. Under no circumstances shall Delinea be liable for any damages whatsoever including direct, indirect, special, punitive or consequential loss or damage, including loss of profits, loss of business, loss of revenue, loss of or damage to goodwill, or loss of data. The foregoing exclusions will not apply to the extent prohibited by applicable law.