Skip to main content

Prisma Access Agent EUVDEUVD-2026-30098

| CVE-2026-0247 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-13 palo_alto GHSA-cx3v-69qf-w6mx
5.9
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 10:46 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
5.9 (MEDIUM)

DescriptionCVE.org

Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations.

AnalysisAI

Authorization bypass in Palo Alto Networks Prisma Access Agent's Endpoint DLP component permits a locally authenticated attacker with low privileges to circumvent authentication controls and invoke privileged operations. Affected are all Prisma Access Agent versions prior to 26.2.1, with full confidentiality, integrity, and availability impact on the vulnerable component confirmed by the CVSS:4.0 vector (VC:H/VI:H/VA:H). No active exploitation has been identified - SSVC marks exploitation as 'none', EPSS sits at the 1st percentile, and the CVSS exploit maturity is rated 'Unreported' (E:U).

Technical ContextAI

The affected product is Palo Alto Networks Prisma Access Agent (CPE: cpe:2.3:a:palo_alto_networks:prisma_access_agent:*:*:*:*:*:*:*:*), specifically its Endpoint Data Loss Prevention (DLP) component, which runs as a privileged process on managed endpoints. The root cause is classified as CWE-306 (Missing Authentication for Critical Function): one or more internal interfaces or inter-process communication channels within the Endpoint DLP subsystem fail to enforce authentication or authorization checks before executing sensitive operations. This flaw class typically arises when privileged daemons or services expose local APIs, named pipes, sockets, or COM objects without validating the caller's identity or privilege level, allowing any local user-space process to invoke operations intended only for privileged contexts. The vulnerability is multiple in nature, suggesting several distinct code paths share this deficiency.

RemediationAI

Upgrade Prisma Access Agent to version 26.2.1 or later, which contains the vendor-released patch per EUVD-2026-30098 versioning data. The authoritative vendor advisory is at https://security.paloaltonetworks.com/CVE-2026-0247. Where immediate patching is not possible, compensating controls should focus on reducing local access exposure: restrict interactive login and local code execution rights on endpoints running Prisma Access Agent to only trusted, managed accounts (trade-off: limits troubleshooting by non-admin staff); apply application allowlisting to prevent untrusted local processes from invoking DLP component interfaces; and enable endpoint behavioral monitoring to detect unexpected privilege escalation patterns. Because exploitation requires local access (AV:L) with low privileges, hardening local user account provisioning and enforcing least-privilege endpoint configurations are effective interim mitigations.

Share

EUVD-2026-30098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy