Skip to main content

Prisma Browser CVE-2026-0235

| EUVDEUVD-2026-30087 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-05-13 palo_alto GHSA-8q7v-5p8j-cfcg
5.8
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:40 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
5.8 (MEDIUM)
CVE Published
May 13, 2026 - 18:14 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 18:14 nvd
MEDIUM 5.8

DescriptionCVE.org

A race condition vulnerability in Palo Alto Networks Prisma® Browser enables a locally authenticated non-admin user to bypass certain access and data control policies.

AnalysisAI

Policy bypass in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to circumvent access and data control policies via a race condition, potentially exposing restricted data with high confidentiality impact to the vulnerable system. Affected versions span all releases prior to 146.16.6.165, per EUVD-2026-30087 and vendor advisory. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, EPSS sits at 0.01% (3rd percentile), and SSVC assessment categorizes exploitation status as none - indicating this is a low-urgency but architecturally meaningful trust boundary weakness in an enterprise browser control product.

Technical ContextAI

Palo Alto Networks Prisma® Browser is an enterprise-managed browser used to enforce data loss prevention and access control policies on endpoints. The vulnerability is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), indicating that the browser's policy enforcement logic fails to account for a timing-dependent exceptional state introduced by a race condition. In CVSS 4.0 terms, the Attack Requirements metric is set to Present (AT:P), confirming that exploitation depends on a specific window of concurrency - likely when two operations compete over a shared policy evaluation state, allowing the enforcement check to be observed as satisfied before the restricting condition is applied. The CPE string cpe:2.3:a:palo_alto_networks:prisma_browser:*:*:*:*:*:*:*:* covers all versions up to but not including 146.16.6.165. The CVSS 4.0 supplemental metric for Automatable is No (AU:N), consistent with the SSVC finding of non-automatable, reflecting the inherent difficulty of reliably triggering race condition windows at scale.

RemediationAI

The primary fix is to upgrade Palo Alto Networks Prisma® Browser to version 146.16.6.165 or later, as confirmed by the vendor-released patch referenced in EUVD-2026-30087 and the Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2026-0235. If immediate upgrade is not feasible, organizations should restrict local user access to managed endpoints running Prisma Browser, enforce the principle of least privilege to limit non-admin user sessions, and increase logging and alerting around policy bypass events or anomalous data access patterns within the browser environment. Note that these compensating controls do not eliminate the race condition and carry the trade-off of increased operational complexity without closing the underlying vulnerability. Prioritize patching in environments where Prisma Browser is deployed specifically for DLP or access control enforcement, as the vulnerability directly undermines those controls.

Share

CVE-2026-0235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy