Skip to main content

Broker VM CVE-2026-0238

| EUVDEUVD-2026-30090 LOW
Improper Input Validation (CWE-20)
2026-05-13 palo_alto GHSA-gxm4-cg9r-54vw
1.1
CVSS 4.0 · Vendor: palo_alto

Severity by source

Vendor (palo_alto) PRIMARY
1.1 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 12:51 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
1.1 (LOW)
CVE Published
May 13, 2026 - 18:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A vulnerability in Palo Alto Networks Broker VM allows an authenticated administrator to inject arbitrary content into certain Broker VM fields.

AnalysisAI

Content injection in Palo Alto Networks Broker VM 30.0 (versions prior to 30.0.24) allows an authenticated administrator with local access to inject arbitrary content into certain administrative fields within the appliance. The vulnerability carries a CVSS 4.0 score of 1.1, reflecting its highly constrained exploitation prerequisites: local access, low-privilege authentication, and limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation, making this a low-urgency finding for most organizations.

Technical ContextAI

Palo Alto Networks Broker VM is a virtual appliance that functions as an intermediary for cloud-delivered security services, brokering traffic between enterprise environments and Palo Alto's cloud infrastructure. The vulnerability is rooted in CWE-20 (Improper Input Validation), meaning certain administrator-facing input fields in the Broker VM management interface fail to adequately sanitize or restrict the content that can be submitted. This allows injection of arbitrary content - likely affecting stored data, configuration fields, or log entries - rather than achieving remote code execution. The CPE string (cpe:2.3:a:palo_alto_networks:broker_vm:*:*:*:*:*:*:*:*) confirms the flaw is in the Broker VM application itself, and EUVD data narrows the affected scope to the 30.0 release train, specifically builds below 30.0.24.

RemediationAI

The vendor-released patch is Broker VM 30.0.24, which resolves the improper input validation defect. Organizations running Broker VM 30.0 prior to 30.0.24 should upgrade to 30.0.24 or later per the Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2026-0238. Because exploitation requires an authenticated administrator session with local access, the immediate compensating control - if patching is delayed - is to enforce strict administrative account hygiene: apply multi-factor authentication to all Broker VM administrator accounts, restrict console and management interface access to dedicated jump hosts, and audit administrator activity logs for anomalous field modifications. These controls directly address the attack surface by limiting who can reach the vulnerable input fields. No significant trade-offs apply to the patch itself; upgrade impact should be assessed per standard Palo Alto Networks VM maintenance procedures.

Share

CVE-2026-0238 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy