Skip to content
Threat Feed
medium threat exploited

CVE-2026-0278 Prisma Access Agent: Multiple DLP Policy Bypass Vulnerabilities on Windows

CVE-2026-0278 describes multiple protection mechanism failures in the Prisma Access Agent's Data Loss Prevention (DLP) component for Windows, allowing a local user to bypass DLP policy enforcement controls and exfiltrate sensitive data on affected versions prior to 26.2.1.

Palo Alto Networks has disclosed CVE-2026-0278, a medium-severity vulnerability impacting the Prisma Access Agent's Data Loss Prevention (DLP) component on Windows. This flaw stems from "multiple protection mechanism failures" that permit a local user with low privileges to circumvent DLP policy enforcement. This means sensitive data intended to be protected by DLP could be copied, moved, or exfiltrated without detection or prevention. The vulnerability affects all versions of Prisma Access Agent for Windows prior to 26.2.1. The macOS version of the agent is not affected. The issue was discovered and reported externally by Daniel Cuthbert and Vladislav Ovitchinikov from Banco Santander. Palo Alto Networks is currently unaware of any malicious exploitation of this vulnerability in the wild.

Attack Chain

  1. A Windows endpoint is running a vulnerable version of the Palo Alto Networks Prisma Access Agent (specifically, any version below 26.2.1) with Data Loss Prevention (DLP) policies configured.
  2. A local user with low privileges attempts to perform an operation, such as copying a sensitive file to an external drive or an unauthorized network share, that should normally be restricted by the configured DLP policies.
  3. The Prisma Access Agent's DLP component is engaged to inspect and enforce the policy on the user's attempted action.
  4. Due to "multiple protection mechanism failures" (CVE-2026-0278) inherent in the agent's DLP component, the mechanism designed to prevent the restricted action fails to function correctly.
  5. The DLP policy enforcement is bypassed, allowing the local user's restricted operation (e.g., data transfer) to complete successfully despite the policy.
  6. Sensitive data that DLP was intended to protect is consequently exposed, copied, or exfiltrated by the local user, circumventing the organization's security controls.

Impact

The primary impact of CVE-2026-0278 is the potential for unauthorized data exfiltration or misuse of sensitive information by local users on affected Windows endpoints. Organizations relying on Prisma Access Agent's DLP capabilities to prevent accidental or malicious data loss will find their controls bypassed. While Palo Alto Networks has not observed in-the-wild exploitation, a successful bypass could lead to significant data breaches, regulatory compliance failures, and reputational damage, particularly in sectors handling highly confidential data. The vulnerability impacts all Windows machines running Prisma Access Agent versions below 26.2.1.

Recommendation

  • Upgrade all Prisma Access Agent installations on Windows to version 26.2.1 or later immediately to remediate CVE-2026-0278.