CVE-2026-0247

Vulnerability

Multiple authorization bypass vulnerabilities exist in the Endpoint DLP component of Prisma Access Agent on both macOS and Windows. These issues, classified as CWE-306 Missing Authentication for Critical Function, allow a local attacker to bypass authentication controls and execute privileged operations [1]. The vulnerability affects versions 25.0.0 up to but not including 26.2.1 on both platforms. The Endpoint DLP feature must be enabled for exposure [1].

Exploitation

To exploit the vulnerability, an attacker must have local access to the system and low privileges. No user interaction is required. The attack complexity is low, and no special attack requirements are needed [1]. The attacker can exploit the authorization bypass to execute privileged operations without proper authentication.

Impact

Successful exploitation allows the attacker to gain high impact on confidentiality, integrity, and availability of the product itself [1]. The attacker can bypass authentication controls and perform privileged operations that they would not normally be authorized to do. There is no subsequent impact on other systems beyond the affected product [1].

Mitigation

Palo Alto Networks has released a fix in Prisma Access Agent version 26.2.1 for both macOS and Windows [1]. Users should upgrade to 26.2.1 or later to remediate the issue. No workarounds are available [1]. As of the publication date, no active exploitation has been reported [1].