Skip to main content

Cortex XDR Broker VM EUVDEUVD-2026-42690

| CVE-2026-0276 LOW
Improper Privilege Management (CWE-269)
2026-07-09 palo_alto GHSA-8fv5-24p8-44h5
1.1
CVSS 4.0 · Vendor: palo_alto

Severity by source

Vendor (palo_alto) PRIMARY
1.1 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
vuln.today AI
5.3 MEDIUM

Local access and low privilege required; root on a narrow-function VM appliance yields limited C/I/A with no scope change beyond the VM.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 21:01 EUVD
Analysis Generated
Jul 09, 2026 - 20:26 vuln.today

DescriptionCVE.org

A privilege escalation vulnerability in Palo Alto Networks Cortex® XDR Broker VM enables a locally authenticated user to perform actions as the root user.

AnalysisAI

Privilege escalation in Palo Alto Networks Cortex XDR Broker VM permits locally authenticated users to perform operations as the root user within the appliance. The vulnerability is constrained to the Broker VM itself - the CVSS 4.0 vector (SC:N/SI:N/SA:N) confirms no scope change to subsequent or adjacent systems, limiting the blast radius to the VM appliance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local authenticated access to Broker VM
Exploit
Trigger improper privilege management flaw
Execution
Elevate session to root
Impact
Access or modify root-restricted VM resources

Vulnerability AssessmentAI

Exploitation Exploitation requires an active local authenticated session on the Cortex XDR Broker VM appliance; the CVSS vector AV:L/PR:L confirms this explicitly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 1.1 is among the lowest possible ratings, driven by local attack vector (AV:L), low-privilege requirement (PR:L), unexploited threat status (E:U), and low impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L) with zero scope change to subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with existing local authentication to the Cortex XDR Broker VM - such as a malicious insider or an attacker who has already established a foothold via another vulnerability - exploits the improper privilege management flaw to elevate their session to root. With root access, the attacker can read or modify Broker VM configuration, potentially exposing credentials or communication keys used between the VM and the Cortex XDR cloud. …
Remediation Consult the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0276 for the official patch and fixed version, as no specific remediated version was provided in available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy