{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/prisma-access-agent-endpoint-dlp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prisma Access Agent (Endpoint DLP)"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-0247","privilege-escalation","authorization-bypass","endpoint-dlp"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks has disclosed CVE-2026-0247, a set of authorization bypass vulnerabilities affecting the Endpoint DLP component of Prisma Access Agent. A local attacker can exploit these flaws to bypass authentication mechanisms and execute privileged operations. The vulnerabilities affect Prisma Access Agent versions prior to 26.2.1 on both macOS and Windows. Successful exploitation requires Endpoint DLP to be enabled on the target system. Palo Alto Networks internally discovered and reported the issue. Defenders should upgrade to version 26.2.1 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a system with a vulnerable version of Prisma Access Agent and with Endpoint DLP enabled.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the specific privileged operations within the Endpoint DLP component that lack proper authentication.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload or script to interact with the vulnerable Endpoint DLP component.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the payload locally, exploiting the missing authentication checks.\u003c/li\u003e\n\u003cli\u003eThe Prisma Access Agent Endpoint DLP component processes the attacker\u0026rsquo;s request without proper authorization.\u003c/li\u003e\n\u003cli\u003eAttacker successfully bypasses intended DLP policies, potentially allowing unauthorized data access or exfiltration.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the escalated privileges to perform sensitive actions on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0247 allows a local attacker to bypass Endpoint DLP restrictions and potentially exfiltrate sensitive data from a compromised system. This could lead to the exposure of confidential information. Palo Alto Networks is not aware of any malicious exploitation of these issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prisma Access Agent to version 26.2.1 or later on both macOS and Windows systems to remediate CVE-2026-0247.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect suspicious process execution related to DLP bypass attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:02:10Z","date_published":"2026-05-13T16:02:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0247-prisma-access-agent-dlp-auth-bypass/","summary":"Multiple authorization bypass vulnerabilities exist in the Endpoint DLP component of Prisma Access Agent, allowing a local attacker to bypass authentication controls and execute privileged operations on macOS and Windows systems with Endpoint DLP enabled; versions prior to 26.2.1 are affected.","title":"CVE-2026-0247 Prisma Access Agent Endpoint DLP: Authorization Bypass Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0247-prisma-access-agent-dlp-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Prisma Access Agent (Endpoint DLP)","version":"https://jsonfeed.org/version/1.1"}