Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
5DescriptionCVE.org
A race condition vulnerability in Palo Alto Networks Prisma® Browser enables a locally authenticated non-admin user to bypass certain access and data control policies.
AnalysisAI
Policy bypass in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to circumvent access and data control policies via a race condition, potentially exposing restricted data with high confidentiality impact to the vulnerable system. Affected versions span all releases prior to 146.16.6.165, per EUVD-2026-30087 and vendor advisory. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, EPSS sits at 0.01% (3rd percentile), and SSVC assessment categorizes exploitation status as none - indicating this is a low-urgency but architecturally meaningful trust boundary weakness in an enterprise browser control product.
Technical ContextAI
Palo Alto Networks Prisma® Browser is an enterprise-managed browser used to enforce data loss prevention and access control policies on endpoints. The vulnerability is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), indicating that the browser's policy enforcement logic fails to account for a timing-dependent exceptional state introduced by a race condition. In CVSS 4.0 terms, the Attack Requirements metric is set to Present (AT:P), confirming that exploitation depends on a specific window of concurrency - likely when two operations compete over a shared policy evaluation state, allowing the enforcement check to be observed as satisfied before the restricting condition is applied. The CPE string cpe:2.3:a:palo_alto_networks:prisma_browser:*:*:*:*:*:*:*:* covers all versions up to but not including 146.16.6.165. The CVSS 4.0 supplemental metric for Automatable is No (AU:N), consistent with the SSVC finding of non-automatable, reflecting the inherent difficulty of reliably triggering race condition windows at scale.
RemediationAI
The primary fix is to upgrade Palo Alto Networks Prisma® Browser to version 146.16.6.165 or later, as confirmed by the vendor-released patch referenced in EUVD-2026-30087 and the Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2026-0235. If immediate upgrade is not feasible, organizations should restrict local user access to managed endpoints running Prisma Browser, enforce the principle of least privilege to limit non-admin user sessions, and increase logging and alerting around policy bypass events or anomalous data access patterns within the browser environment. Note that these compensating controls do not eliminate the race condition and carry the trade-off of increased operational complexity without closing the underlying vulnerability. Prioritize patching in environments where Prisma Browser is deployed specifically for DLP or access control enforcement, as the vulnerability directly undermines those controls.
More in Prisma Browser
View allLocal code injection in Palo Alto Networks Prisma Browser on macOS lets an authenticated non-admin user abuse an exposed
Local privilege escalation in Palo Alto Networks Prisma Browser on macOS allows a locally authenticated non-admin user t
Privilege escalation in Palo Alto Networks Prisma® Browser on macOS enables a locally authenticated administrator with a
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30087
GHSA-8q7v-5p8j-cfcg