Skip to main content

Cortex XSOAR CVE-2026-0270

| EUVD-2026-36146 MEDIUM
Path Traversal (CWE-22)
2026-06-10 palo_alto GHSA-6p7f-m9mh-p8gq
Path Traversal Paloalto
4.8
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
vuln.today AI
7.1 HIGH

AV:A for adjacency-only MITM requirement; AC:H for active interception prerequisite; PR:N unauthenticated; UI:R because victim system must initiate the interceptable request; full C/I/A:H reflecting arbitrary file write enabling code execution.

3.1 AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 23:01 EUVD
Analysis Generated
Jun 10, 2026 - 22:01 vuln.today
CVE Published
Jun 10, 2026 - 20:59 cve.org
MEDIUM 4.8

DescriptionCVE.org

A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network, with the ability to intercept and manipulate network response traffic via a man-in-the-middle (MITM) attack, to write arbitrary files to the host.

AnalysisAI

Path traversal in Palo Alto Networks Cortex XSOAR engine on Linux enables arbitrary file write to the host system by an unauthenticated adjacent-network attacker who can intercept and manipulate outbound network response traffic via MITM. The referenced NVD entry for CVE-2007-4559 - the canonical Python tarfile path traversal - strongly suggests XSOAR's content pack or update download pipeline uses Python's tarfile module without path sanitization, allowing a poisoned archive to escape the extraction directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent network access
Delivery
Achieve MITM via ARP/DNS poisoning
Exploit
Intercept XSOAR outbound content fetch request
Execution
Inject crafted tar archive with path traversal payload
Persist
XSOAR engine extracts archive without path sanitization
Impact
Write arbitrary files to host filesystem
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the attacker must be physically or logically adjacent to the network segment hosting the Cortex XSOAR engine - remote internet-based exploitation is not possible given AV:A; (2) the attacker must successfully achieve active MITM positioning to intercept and modify outbound network response traffic from the XSOAR engine, indicated by AC:H and AT:P - passive observation is insufficient; (3) the XSOAR engine must initiate a network request to fetch or update content (e.g., a content pack download) during the attacker's interception window, providing the opportunity to inject the malicious archive (reflected by UI:P). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite VC:H/VI:H/VA:H in the CVSS 4.0 vector - indicating full triad impact on the vulnerable system - the overall score of 4.8 reflects significant exploitation barriers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the same network segment as a Cortex XSOAR engine - via ARP poisoning, rogue switch port, or compromised network device - intercepts an outbound HTTP/S request made by the engine to download a content pack or integration update. The attacker substitutes the legitimate response with a crafted tar archive containing a member path such as '../../etc/cron.d/backdoor', causing the XSOAR engine to extract the file outside the intended directory and write attacker-controlled content to a sensitive system path. …
Remediation The primary fix is to apply the vendor-supplied patch from Palo Alto Networks detailed at https://security.paloaltonetworks.com/CVE-2026-0270; however, an exact patched version number is not confirmed in the available data and administrators should consult the advisory directly to identify the target upgrade version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-0273 MEDIUM
6.1 Jun 10

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict
CVE-2026-0272 MEDIUM
6.0 Jun 10

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an
CVE-2026-0271 MEDIUM
5.9 Jun 10

Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged us
CVE-2026-0269 MEDIUM
4.6 Jun 10

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi
CVE-2026-0267 MEDIUM
4.4 Jun 10

GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or un

Share

CVE-2026-0270 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy