Skip to main content

GlobalProtect App EUVDEUVD-2026-30102

| CVE-2026-0251 MEDIUM
Untrusted Search Path (CWE-426)
2026-05-13 palo_alto GHSA-h94g-f37w-qxpj
5.9
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:58 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
5.9 (MEDIUM)
CVE Published
May 13, 2026 - 18:20 nvd
MEDIUM 5.9
CVE Published
May 13, 2026 - 18:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Multiple local privilege escalation vulnerabilities in the Palo Alto Networks GlobalProtect™ app allow a local user to escalate their privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS and Linux. This enables a non-administrative user to execute arbitrary commands with administrative privileges.

The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.

AnalysisAI

Local privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a low-privileged local user to elevate to NT AUTHORITY\SYSTEM (Windows) or root (macOS/Linux), enabling full OS-level command execution. The root cause is CWE-426 (Untrusted Search Path), where the application resolves executables or libraries from attacker-controllable locations. No public exploit has been identified and CISA SSVC confirms exploitation status as none; however, SSVC rates technical impact as total, reflecting the complete privilege gain achievable upon successful exploitation.

Technical ContextAI

CWE-426 (Untrusted Search Path) occurs when an application resolves the location of an executable or library using a path that a lower-privileged user can influence - commonly via environment variables, the system PATH, working directory, or DLL search order on Windows. The GlobalProtect App runs privileged background processes (services or daemons) that, under vulnerable versions, can be tricked into loading attacker-supplied code by planting a malicious binary in a user-writable directory that appears earlier in the search order than the legitimate binary. Affected platforms are Windows, macOS, and Linux per CPE cpe:2.3:a:palo_alto_networks:globalprotect_app covering versions in the 6.0, 6.2, and 6.3 branches. The GlobalProtect UWP app and mobile variants (iOS, Android, Chrome OS) are explicitly excluded, likely because those platforms enforce stricter sandboxing and application packaging that prevents path manipulation.

RemediationAI

Upgrade to a patched release per branch: for the 6.0.x branch, upgrade to GlobalProtect App 6.0.11 or 6.0.13 as applicable to your platform; for the 6.2.x branch, upgrade to 6.2.8-h10 (build 948); for the 6.3.x branch, upgrade to 6.3.3-h9 (build 999) or 6.3.3-h2 (build 42) per the Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2026-0251. Where immediate patching is not possible, restrict local interactive login on GlobalProtect-managed endpoints to only trusted administrative accounts, eliminating the untrusted-user precondition for exploitation - note this may not be feasible in shared-endpoint environments. Additionally, audit and restrict write permissions on directories in the system PATH and GlobalProtect installation path to prevent non-administrative users from placing files in locations searched by GlobalProtect processes; this reduces but does not eliminate the untrusted search path exposure. On Windows, consider enabling and monitoring Windows Defender Credential Guard and application allowlisting (WDAC/AppLocker) to detect or block unauthorized binary execution in privileged contexts.

Share

EUVD-2026-30102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy