Prisma Access Agent Endpoint DLP: Authorization Bypass Vulnerabilities
Plan PatchCVSS 8.5CVE-2026-0247May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent allow a local attacker to bypass authentication controls and execute privileged operations. The vulnerabilities affect Prisma Access Agent on both macOS and Windows platforms below version 26.2.1.
What this means
What could happen
A local attacker could bypass authentication controls in Prisma Access Agent's Endpoint DLP component and execute operations they shouldn't be permitted to do, potentially exposing sensitive data or disrupting data loss prevention protections on corporate endpoints.
Who's at risk
Organizations using Prisma Access Agent for endpoint data loss prevention on macOS or Windows workstations should address this vulnerability. This affects corporate endpoints where sensitive data is accessed, including engineering workstations, administrative computers, and user devices handling confidential information.
How it could be exploited
An attacker with local access to a workstation running the Prisma Access Agent could exploit the authorization bypass to execute privileged operations without proper authentication, circumventing the endpoint DLP controls designed to prevent unauthorized data access or exfiltration.
Prerequisites
- Local access to the endpoint running Prisma Access Agent
- Prisma Access Agent version below 26.2.1 on macOS or Windows
Local exploitation requiredNo patch available for enterprise organizations without updating to 26.2.1+Could undermine endpoint DLP protections
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Prisma Access Agent (Endpoint DLP)Below 26.2.1 on macOS26.2.1 on macOS+
Prisma Access Agent (Endpoint DLP)Below 26.2.1 on Windows26.2.1 on Windows+
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Prisma Access Agent (Endpoint DLP)
HOTFIXUpdate Prisma Access Agent (Endpoint DLP) to version 26.2.1 or later on all macOS endpoints
HOTFIXUpdate Prisma Access Agent (Endpoint DLP) to version 26.2.1 or later on all Windows endpoints
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/426d9dcf-663f-4ef5-a411-d3c4fd2cce78Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.