Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
An information disclosure vulnerability in the Chronosphere Chronocollector enables an unauthenticated attacker with network access to the collector service to retrieve sensitive information.
AnalysisAI
Unauthenticated information disclosure in Palo Alto Networks' Chronosphere Chronocollector exposes sensitive data to any attacker with adjacent network access to the collector service endpoint. All versions from 0.0.0 up to v0.116.0 are affected, with the fix released in v0.116.0. No public exploit code has been identified at time of analysis and CISA has not added this to the KEV catalog, but the CVSS 4.0 Value Density modifier of 'Concentrated' (V:C) suggests the data at risk may include high-value material such as credentials or configuration secrets.
Technical ContextAI
Chronosphere Chronocollector is a metrics and observability data collection agent (CPE: cpe:2.3:a:palo_alto_networks:chronosphere_chronocollector:*:*:*:*:*:*:*:*) used in cloud-native monitoring infrastructure. The root cause is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), meaning the service exposes internal system or application data through an interface that should not surface it - typically via an API endpoint, debug route, or metadata service that lacks authentication enforcement. The CVSS 4.0 vector confirms no authentication (PR:N) and no user interaction (UI:N) are required, and the attack vector is Adjacent (AV:A), meaning the attacker must be on the same network segment, broadcast domain, or directly connected subnet - not reachable over the open internet without prior network access.
RemediationAI
Upgrade Chronosphere Chronocollector to version v0.116.0 or later, which resolves this vulnerability per the EUVD affected version range. The vendor advisory at https://security.paloaltonetworks.com/CVE-2026-0239 should be consulted for any additional deployment guidance. If immediate patching is not feasible, implement network-layer access controls to restrict which hosts or subnets can reach the Chronocollector service port - because the attack vector is Adjacent (AV:A), enforcing strict network segmentation (e.g., dedicated monitoring VLANs with ACLs) would prevent exploitation by blocking access from untrusted adjacent segments. Be aware that overly restrictive ACLs on the collector port could interrupt metrics ingestion pipelines, so changes should be validated in a staging environment. Host-based firewall rules on the collector host are a secondary option with less operational disruption.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30091
GHSA-3544-2m8c-rh83