Skip to main content

Prisma Access Agent CVE-2026-0271

| EUVD-2026-36147 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-06-10 palo_alto GHSA-wmww-3qhp-47r4
Microsoft Apple Paloalto Privilege Escalation Google
5.9
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber
vuln.today AI
8.8 HIGH

Local access and low privileges required; scope changes to elevated privilege level enabling full system compromise with no network vector.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 23:01 EUVD
Analysis Generated
Jun 10, 2026 - 22:03 vuln.today
CVE Published
Jun 10, 2026 - 20:59 cve.org
MEDIUM 5.9

DescriptionCVE.org

A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to execute code with elevated privileges.

This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.

AnalysisAI

Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local user account on Linux agent host
Delivery
Identify over-permissive agent file or directory (CWE-732)
Exploit
Write malicious payload to controllable resource
Execution
Privileged agent process loads attacker-controlled resource
Impact
Execute arbitrary code with elevated privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker to already hold an interactive local user session on the Linux host running Prisma Access Agent - confirmed by AV:L and PR:L in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.9 with AV:L and PR:L confirms this is a post-authentication, local-only privilege escalation, not a remotely exploitable vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged local account on a Linux endpoint running Prisma Access Agent identifies an over-permissive file or directory associated with the agent installation - consistent with CWE-732 - such as a world-writable configuration file, a plugin directory, or a library path loaded by a privileged process. The attacker replaces or modifies that resource with a malicious payload, which is subsequently loaded and executed with elevated privileges by the agent or an associated privileged service, yielding full system control. …
Remediation Consult the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0271 for the specific patched version of Prisma Access Agent on Linux and apply the vendor-supplied update as the primary remediation; no exact fixed version number was available in the intelligence data provided and one should not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-0273 MEDIUM
6.1 Jun 10

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict
CVE-2026-0272 MEDIUM
6.0 Jun 10

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an
CVE-2026-0270 MEDIUM
4.8 Jun 10

Path traversal in Palo Alto Networks Cortex XSOAR engine on Linux enables arbitrary file write to the host system by an

CVE-2026-0269 MEDIUM
4.6 Jun 10

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi
CVE-2026-0267 MEDIUM
4.4 Jun 10

GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or un

Share

CVE-2026-0271 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy