Skip to main content

Akamai Guardicore Platform Agent EUVDEUVD-2026-28788

| CVE-2026-34354 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-08 mitre GHSA-54h8-vwcv-q5r9
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 08, 2026 - 16:30 vuln.today
CVE Published
May 08, 2026 - 00:00 nvd
HIGH 7.4

DescriptionCVE.org

Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the HandleSaveLogs() function of the GPA service, by creating a log file and manipulating it into a symlink that points to the targeted path; this can allow an unprivileged local user to make arbitrary root-owned files world-writable. In addition, a diagnostic collection tool (gimmelogs) running with root privileges was vulnerable to command injection from the dbstore, offering a second privilege escalation vector. (On Windows, gimmelogs does not have command injection but does allow writing a ZIP archive to an unintended location.) This affects Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5.

AnalysisAI

Local privilege escalation in Akamai Guardicore Platform Agent 7.0-7.3.1 and Zero Trust Client 6.0-6.1.5 on Linux and macOS enables unprivileged users to gain root access through two distinct vectors: a TOCTOU race condition in the HandleSaveLogs() function that creates world-writable root-owned files via symlink manipulation in /tmp, and command injection in the gimmelogs diagnostic tool executing with root privileges. The vulnerability requires local access with high attack complexity (CVSS AC:H) but no authentication (PR:N), affecting endpoint security agents that typically run with elevated privileges. No active exploitation confirmed at time of analysis; EPSS data not available for this 2026 CVE identifier.

Technical ContextAI

This vulnerability exploits two classic UNIX security weaknesses in privileged system services. The primary vector is a Time-Of-Check-Time-Of-Use (TOCTOU) race condition (CWE-367) where the Guardicore Platform Agent service creates an IPC socket in the world-writable /tmp directory and accepts unauthenticated control messages. The HandleSaveLogs() function creates a log file that an attacker can race to replace with a symbolic link pointing to a privileged file (e.g., /etc/shadow or /etc/sudoers), causing the service to write log content with root ownership and world-writable permissions to that target. The secondary vector involves command injection in gimmelogs, a diagnostic collection utility running as root that accepts untrusted input from the dbstore database, allowing shell metacharacter injection. Both CPE entries (Guardicore Platform Agent and Zero Trust Client) share the same vulnerable codebase for their agent components. On Windows, the TOCTOU vector is mitigated by OS file system semantics, though gimmelogs retains arbitrary file write capability without command injection.

RemediationAI

Upgrade Akamai Guardicore Platform Agent to version 7.3.2 or later, and Akamai Zero Trust Client to version 6.1.6 or later, per the Akamai security advisory at https://www.akamai.com/blog/security-research/advisory-cve-2026-34354-guardicore-local-privilege-escalation. If immediate patching is not feasible, implement compensating controls recognizing their operational trade-offs: restrict local user access to endpoints running Guardicore agents using least-privilege policies and mandatory access controls (AppArmor/SELinux) - this reduces attack surface but may conflict with legitimate multi-user workflows; enable audit logging for /tmp directory operations and gimmelogs executions to detect exploitation attempts - this provides detection without prevention and generates log volume; deploy file system mount options with nosymfollow for /tmp where supported (FreeBSD, some Linux distributions with kernel 5.8+) - this directly mitigates the TOCTOU vector but may break applications expecting symlink functionality in /tmp. Each mitigation requires testing in non-production environments before deployment as they may impact legitimate Guardicore agent operations or third-party applications.

Share

EUVD-2026-28788 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy