Cortex XDR Broker VM: Sensitive Information Disclosure Vulnerability

Plan Patch8.4CVE-2026-0231Mar 11, 2026

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

An information disclosure vulnerability in Cortex XDR Broker VM allows an authenticated user to obtain and modify sensitive information by triggering a live terminal session via the Cortex UI and changing configuration settings. The vulnerability affects versions below 30.0.49.

What this means

What could happen

An authenticated user could access sensitive information and modify configuration settings on your Cortex XDR Broker VM, potentially disrupting your security monitoring and response capabilities or exposing credentials and system secrets.

Who's at risk

Security teams and IT operations staff managing Palo Alto Networks Cortex XDR Broker VM deployments (version below 30.0.49) who rely on this system for threat detection and response across your network.

How it could be exploited

An attacker with valid credentials and network access to the Cortex XDR Broker VM can log into the Cortex UI, start a live terminal session, and use that access to read sensitive data or change configuration settings that control how the system operates.

Prerequisites

Valid user credentials for Cortex XDR Broker VM
Network access to the Broker VM UI (typically HTTPS port 443)

authenticated access requirednetwork access required to UIaffects security monitoring systemsmedium CVSS score

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Cortex XDR Broker VMBelow 30.0.4930.0.49+

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to the Cortex XDR Broker VM UI to authorized management networks only using firewall rules or network segmentation

HARDENINGEnforce strong password policies and multi-factor authentication (MFA) for all Cortex XDR user accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cortex XDR Broker VM to version 30.0.49 or later

CVEs (1)

CVE-2026-0231

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e66456d-f600-46d7-a491-b3d3cab86a2d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.