Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
5DescriptionCVE.org
Multiple local privilege escalation vulnerabilities in the Palo Alto Networks GlobalProtect™ app allow a local user to escalate their privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS and Linux. This enables a non-administrative user to execute arbitrary commands with administrative privileges.
The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
AnalysisAI
Local privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a low-privileged local user to elevate to NT AUTHORITY\SYSTEM (Windows) or root (macOS/Linux), enabling full OS-level command execution. The root cause is CWE-426 (Untrusted Search Path), where the application resolves executables or libraries from attacker-controllable locations. No public exploit has been identified and CISA SSVC confirms exploitation status as none; however, SSVC rates technical impact as total, reflecting the complete privilege gain achievable upon successful exploitation.
Technical ContextAI
CWE-426 (Untrusted Search Path) occurs when an application resolves the location of an executable or library using a path that a lower-privileged user can influence - commonly via environment variables, the system PATH, working directory, or DLL search order on Windows. The GlobalProtect App runs privileged background processes (services or daemons) that, under vulnerable versions, can be tricked into loading attacker-supplied code by planting a malicious binary in a user-writable directory that appears earlier in the search order than the legitimate binary. Affected platforms are Windows, macOS, and Linux per CPE cpe:2.3:a:palo_alto_networks:globalprotect_app covering versions in the 6.0, 6.2, and 6.3 branches. The GlobalProtect UWP app and mobile variants (iOS, Android, Chrome OS) are explicitly excluded, likely because those platforms enforce stricter sandboxing and application packaging that prevents path manipulation.
RemediationAI
Upgrade to a patched release per branch: for the 6.0.x branch, upgrade to GlobalProtect App 6.0.11 or 6.0.13 as applicable to your platform; for the 6.2.x branch, upgrade to 6.2.8-h10 (build 948); for the 6.3.x branch, upgrade to 6.3.3-h9 (build 999) or 6.3.3-h2 (build 42) per the Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2026-0251. Where immediate patching is not possible, restrict local interactive login on GlobalProtect-managed endpoints to only trusted administrative accounts, eliminating the untrusted-user precondition for exploitation - note this may not be feasible in shared-endpoint environments. Additionally, audit and restrict write permissions on directories in the system PATH and GlobalProtect installation path to prevent non-administrative users from placing files in locations searched by GlobalProtect processes; this reduces but does not eliminate the untrusted search path exposure. On Windows, consider enabling and monitoring Windows Defender Credential Guard and application allowlisting (WDAC/AppLocker) to detect or block unauthorized binary execution in privileged contexts.
More in Globalprotect App
View allBuffer overflow in Palo Alto Networks GlobalProtect App (versions 6.0 through 6.3) allows an adjacent-network attacker p
Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-
GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or un
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30102
GHSA-h94g-f37w-qxpj