Skip to content
Threat Feed
medium advisory

CVE-2026-0246 Prisma Access Agent Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability exists in Palo Alto Networks Prisma Access Agent versions prior to 26.2.1 on Linux, macOS, and Windows, allowing a locally authenticated non-administrative user to gain root or NT AUTHORITY\SYSTEM privileges and execute arbitrary code.

CVE-2026-0246 describes a privilege escalation vulnerability within the Palo Alto Networks Prisma Access Agent. Specifically, a locally authenticated, non-administrative user can exploit a flaw in the privilege management mechanism. Successful exploitation allows the attacker to elevate their privileges to root on macOS and Linux systems, or to NT AUTHORITY\SYSTEM on Windows systems. This vulnerability affects Prisma Access Agent versions prior to 26.2.1 on Linux, macOS and Windows. Prisma Access Agent on iOS, Android and Chrome OS are not affected. This vulnerability allows for the execution of arbitrary code and the reading of sensitive information accessible only to privileged accounts. Palo Alto Networks internally discovered this vulnerability.

Attack Chain

  1. Attacker gains local access to a machine with a vulnerable Prisma Access Agent installed (version < 26.2.1).
  2. Attacker identifies the vulnerable privilege management mechanism within the Prisma Access Agent.
  3. Attacker crafts a malicious request or input that exploits the missing authorization (CWE-862) in the agent.
  4. The malicious request bypasses intended privilege checks due to the flawed mechanism.
  5. The Prisma Access Agent attempts to perform an action requiring elevated privileges based on the attacker’s crafted input.
  6. Due to missing authorization, the agent incorrectly executes the action with root (Linux/macOS) or NT AUTHORITY\SYSTEM (Windows) privileges.
  7. Attacker executes arbitrary code within the context of the elevated privileges.
  8. Attacker gains unauthorized access to sensitive information or resources.

Impact

Successful exploitation of CVE-2026-0246 allows a local, non-administrative user to gain complete control of the affected system. This could lead to data exfiltration, installation of malware, or disruption of services. While Palo Alto Networks is not aware of any malicious exploitation, the potential impact is significant due to the complete compromise of the affected host. This vulnerability affects organizations utilizing Prisma Access Agent on Linux, macOS, and Windows.

Recommendation

  • Upgrade Prisma Access Agent to version 26.2.1 or later on Linux, macOS, and Windows to remediate CVE-2026-0246 per the vendor advisory.
  • Deploy the Sigma rule “Detect Prisma Access Agent Privilege Escalation Attempt via Process Creation” to detect potential exploitation attempts.
  • Monitor process creation events for unusual processes spawned by the Prisma Access Agent as indicated in the detection rule.

Detection coverage 2

Detect Prisma Access Agent Privilege Escalation Attempt via Process Creation

medium

Detects potential exploitation attempts of CVE-2026-0246 by monitoring for unusual process creation events spawned by the Prisma Access Agent.

sigma tactics: defense_evasion, privilege_escalation techniques: T1068 sources: process_creation, windows

Detect Prisma Access Agent Privilege Escalation Attempt via Process Creation (Linux)

medium

Detects potential exploitation attempts of CVE-2026-0246 on Linux by monitoring for unusual process creation events spawned by the Prisma Access Agent.

sigma tactics: defense_evasion, privilege_escalation techniques: T1068 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →