Skip to main content

Prisma Browser CVE-2026-0237

| EUVDEUVD-2026-30062 HIGH
Improper Protection of Alternate Path (CWE-424)
2026-05-13 palo_alto GHSA-7wx2-94c7-j77h
7.3
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 08:45 vuln.today
Patch available
May 13, 2026 - 19:17 EUVD
CVSS changed
May 13, 2026 - 18:22 NVD
7.3 (HIGH)
CVE Published
May 13, 2026 - 17:48 nvd
HIGH 7.3

DescriptionCVE.org

An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to an internal automation bridge. This allows a locally authenticated non-admin user to leverage an exposed communication channel to send unauthorized commands to the browser, bypassing security controls.

AnalysisAI

Local privilege escalation in Palo Alto Networks Prisma Browser on macOS allows a locally authenticated non-admin user to access an internal automation bridge that was insufficiently restricted, enabling unauthorized commands to be sent to the browser and bypassing built-in security controls. The flaw is tracked as CVE-2026-0237 with a CVSS 4.0 score of 7.3 and no public exploit identified at time of analysis, though SSVC rates the technical impact as total.

Technical ContextAI

Prisma Browser is Palo Alto Networks' enterprise secure browser (formerly the Talon acquisition) used to enforce data loss prevention, identity, and SaaS access controls on managed endpoints. The vulnerability is classified as CWE-424 (Improper Protection of Alternate Path), meaning the product enforces security checks on its primary interface but exposes a secondary channel - here, an internal automation/IPC bridge on macOS - that does not enforce the same trust boundary. Because the bridge is reachable by any local user session on the Mac (per CPE cpe:2.3:a:palo_alto_networks:prisma_browser), a non-admin process can drive the browser as if it were a privileged automation client, sidestepping the policy enforcement layer the browser is deployed to provide.

RemediationAI

Vendor-released patch: upgrade Prisma Browser on macOS to version 146.16.6.165 or later as documented at https://security.paloaltonetworks.com/CVE-2026-0237. Push the update through MDM (Jamf, Intune, Kandji) so all managed Macs are remediated in one wave rather than relying on user-initiated upgrades, since the bug is exploited by users already on the endpoint. As a compensating control until patching completes, restrict shared/multi-user macOS workstations where untrusted local accounts could reach the automation bridge, and audit any local accounts on devices running Prisma Browser; disabling the browser's automation/IPC bridge is not a documented vendor workaround and would likely break legitimate enterprise integrations, so patching is strongly preferred over interface-level mitigations.

Share

CVE-2026-0237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy