Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Local access and low privilege required; root on a narrow-function VM appliance yields limited C/I/A with no scope change beyond the VM.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
A privilege escalation vulnerability in Palo Alto Networks Cortex® XDR Broker VM enables a locally authenticated user to perform actions as the root user.
AnalysisAI
Privilege escalation in Palo Alto Networks Cortex XDR Broker VM permits locally authenticated users to perform operations as the root user within the appliance. The vulnerability is constrained to the Broker VM itself - the CVSS 4.0 vector (SC:N/SI:N/SA:N) confirms no scope change to subsequent or adjacent systems, limiting the blast radius to the VM appliance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active local authenticated session on the Cortex XDR Broker VM appliance; the CVSS vector AV:L/PR:L confirms this explicitly. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.0 score of 1.1 is among the lowest possible ratings, driven by local attack vector (AV:L), low-privilege requirement (PR:L), unexploited threat status (E:U), and low impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L) with zero scope change to subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with existing local authentication to the Cortex XDR Broker VM - such as a malicious insider or an attacker who has already established a foothold via another vulnerability - exploits the improper privilege management flaw to elevate their session to root. With root access, the attacker can read or modify Broker VM configuration, potentially exposing credentials or communication keys used between the VM and the Cortex XDR cloud. … |
| Remediation | Consult the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0276 for the official patch and fixed version, as no specific remediated version was provided in available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42690
GHSA-8fv5-24p8-44h5