Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
AV:L and PR:L reflect mandatory local user access; C:H captures VPN bypass exposing plaintext traffic; I:L for routing manipulation; S:U as scope is contained to the local endpoint.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel.
This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.
AnalysisAI
Security control bypass in Palo Alto Networks Prisma Access Agent for Linux enables a local, low-privileged attacker to route network traffic outside the VPN tunnel, undermining the core data-in-transit protection the agent is designed to enforce. Only Linux deployments are affected - Windows, macOS, iOS, Android, and ChromeOS are explicitly not impacted. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 confidentiality impact is rated High due to the exposure of unencrypted traffic to untrusted network paths.
Technical ContextAI
CWE-424 (Improper Protection of Alternate Path) describes a class of flaw where a security enforcement mechanism fails to protect an alternate execution or routing path, allowing an adversary to circumvent intended controls. In the context of a VPN client agent, this typically manifests as a split-tunnel enforcement failure or a routing manipulation weakness - the agent does not adequately prevent a local user from modifying routing tables, interface bindings, or agent policy state in a way that directs traffic through an unprotected network path. The affected product is identified via CPE as cpe:2.3:a:palo_alto_networks:prisma_access_agent on Linux. Prisma Access Agent is the endpoint client of Palo Alto Networks' cloud-delivered SASE platform, responsible for enforcing security policy and routing endpoint traffic through the Prisma Access cloud fabric. The Linux-specific nature of this flaw suggests a platform-specific implementation gap in how the agent enforces tunnel exclusivity on Linux networking primitives versus other supported OSes.
RemediationAI
The primary remediation is to apply the vendor-released patch per the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0268. A patch is available per the vendor advisory; however, the exact fixed version of Prisma Access Agent for Linux was not independently confirmed from the provided intelligence, and administrators must consult the advisory directly for the specific target version. As a compensating control pending patching, organizations can enforce mandatory network-layer egress restrictions via perimeter or host-based firewall rules that block direct internet traffic from Linux endpoints not transiting the Prisma Access tunnel - note this may disrupt legitimate local network access and requires careful scoping to avoid operational impact. Additionally, restricting local user privilege escalation paths on Linux endpoints reduces the attacker's ability to interact with routing configuration. Deploying EDR tooling with rules alerting on anomalous routing table modifications (e.g., ip route changes by non-root users) provides a detective control. None of these compensating controls are substitutes for patching.
More in Prisma Access Agent
View allImproper certificate validation in Palo Alto Networks Prisma Access Agent versions below 26.2.1 on Android and Chrome OS
Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged us
Authorization bypass in Palo Alto Networks Prisma Access Agent's Endpoint DLP component permits a locally authenticated
Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally a
Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access A
Improper certificate validation in the Palo Alto Networks Prisma Access Agent for iOS exposes VPN tunnel traffic to inte
Prisma Access Agent on Windows and macOS exposes sensitive configuration data and credentials to local low-privileged us
Same weakness CWE-424 – Improper Protection of Alternate Path
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36144
GHSA-cxwj-f3w7-6266