Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations.
AnalysisAI
Authorization bypass in Palo Alto Networks Prisma Access Agent's Endpoint DLP component permits a locally authenticated attacker with low privileges to circumvent authentication controls and invoke privileged operations. Affected are all Prisma Access Agent versions prior to 26.2.1, with full confidentiality, integrity, and availability impact on the vulnerable component confirmed by the CVSS:4.0 vector (VC:H/VI:H/VA:H). No active exploitation has been identified - SSVC marks exploitation as 'none', EPSS sits at the 1st percentile, and the CVSS exploit maturity is rated 'Unreported' (E:U).
Technical ContextAI
The affected product is Palo Alto Networks Prisma Access Agent (CPE: cpe:2.3:a:palo_alto_networks:prisma_access_agent:*:*:*:*:*:*:*:*), specifically its Endpoint Data Loss Prevention (DLP) component, which runs as a privileged process on managed endpoints. The root cause is classified as CWE-306 (Missing Authentication for Critical Function): one or more internal interfaces or inter-process communication channels within the Endpoint DLP subsystem fail to enforce authentication or authorization checks before executing sensitive operations. This flaw class typically arises when privileged daemons or services expose local APIs, named pipes, sockets, or COM objects without validating the caller's identity or privilege level, allowing any local user-space process to invoke operations intended only for privileged contexts. The vulnerability is multiple in nature, suggesting several distinct code paths share this deficiency.
RemediationAI
Upgrade Prisma Access Agent to version 26.2.1 or later, which contains the vendor-released patch per EUVD-2026-30098 versioning data. The authoritative vendor advisory is at https://security.paloaltonetworks.com/CVE-2026-0247. Where immediate patching is not possible, compensating controls should focus on reducing local access exposure: restrict interactive login and local code execution rights on endpoints running Prisma Access Agent to only trusted, managed accounts (trade-off: limits troubleshooting by non-admin staff); apply application allowlisting to prevent untrusted local processes from invoking DLP component interfaces; and enable endpoint behavioral monitoring to detect unexpected privilege escalation patterns. Because exploitation requires local access (AV:L) with low privileges, hardening local user account provisioning and enforcing least-privilege endpoint configurations are effective interim mitigations.
More in Prisma Access Agent
View allImproper certificate validation in Palo Alto Networks Prisma Access Agent versions below 26.2.1 on Android and Chrome OS
Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged us
Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally a
Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access A
Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to inte
Security control bypass in Palo Alto Networks Prisma Access Agent for Linux enables a local, low-privileged attacker to
Prisma Access Agent on Windows and macOS exposes sensitive configuration data and credentials to local low-privileged us
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30098
GHSA-cx3v-69qf-w6mx