Prisma Access Agent: Local Privilege Escalation Vulnerability
Plan PatchCVSS 8.5CVE-2026-0246May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A privilege escalation vulnerability in Palo Alto Networks Prisma Access Agent allows a non-administrative local user to escalate privileges to root (macOS/Linux) or NT AUTHORITY\SYSTEM (Windows). The attacker can then execute arbitrary code or read sensitive information otherwise restricted to privileged accounts. Prisma Access Agent on iOS, Android, and ChromeOS are not affected by this vulnerability.
What this means
What could happen
A non-administrative user on any device running Prisma Access Agent can escalate to full system privileges (root/SYSTEM) and execute arbitrary code or read sensitive data. This affects all employee devices using Prisma Access, potentially compromising your entire network access infrastructure and any credentials stored locally.
Who's at risk
This affects all organizations using Palo Alto Networks Prisma Access Agent on employee Windows, macOS, and Linux workstations. Any employee device running the affected agent versions is at risk. Organizations with significant numbers of remote or hybrid workers, and those managing BYOD or contractor devices, face higher exposure.
How it could be exploited
An attacker with a regular user account on an employee's Windows, macOS, or Linux workstation can exploit a privilege escalation flaw in the Prisma Access Agent to gain root/SYSTEM privileges and run arbitrary commands. This could be a disgruntled employee, lateral movement from a compromised account, or physical access to an unlocked workstation.
Prerequisites
- Local access to a workstation with Prisma Access Agent installed (Windows, macOS, or Linux)
- Non-administrative user account on the affected workstation
- Prisma Access Agent version below 26.2.1
Local privilege escalationaffects all major desktop platforms (Windows, macOS, Linux)no fix available for mobile platforms (iOS, Android, ChromeOS)any non-administrative user can exploit
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (6)
3 with fix3 pending
ProductAffected VersionsFix Status
Prisma Access AgentBelow 26.2.1 on Linux26.2.1 on Linux (ETA: 06/04)+
Prisma Access AgentBelow 26.2.1 on macOS26.2.1 on macOS+
Prisma Access AgentBelow 26.2.1 on Windows26.2.1 on Windows+
Prisma Access AgentNone on AndroidNo fix yet
Prisma Access AgentNone on ChromeOSNo fix yet
Prisma Access AgentNone on iOSNo fix yet
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Prisma Access Agent
HOTFIXUpdate Prisma Access Agent to version 26.2.1 or later on all Windows, macOS, and Linux workstations
All products
HARDENINGAudit user accounts on affected workstations and disable or remove unnecessary local user accounts with elevated privileges
Long-term hardening
0/2WORKAROUNDFor Android, ChromeOS, and iOS devices: review Palo Alto Networks security guidance; no patch is available for these platforms
HARDENINGImplement application whitelisting or endpoint detection and response (EDR) on workstations to limit unauthorized code execution
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/50e1454c-044c-4801-9fe5-654160d53b46Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.