CVE-2026-0268: Prisma Access Agent Linux VPN Bypass Vulnerability
A vulnerability in Palo Alto Networks' Prisma Access Agent for Linux allows a local user on an affected system to bypass security controls and route network traffic outside the intended VPN tunnel. This is a local attack that requires an authenticated user account and does not affect Windows, macOS, iOS, Android, or ChromeOS deployments. An attacker exploiting this could potentially access resources or send data outside the VPN tunnel without proper security monitoring.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-424
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-13
NVD description (verbatim)
A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0268 is a security control bypass vulnerability (CWE-424) affecting Prisma Access Agent on Linux. The vulnerability allows a local, authenticated attacker to circumvent the VPN tunnel enforcement mechanism and route traffic directly to external networks. The CVSS 3.1 score of 4.4 reflects low impact—the attack requires local access and privileged context (PR:L), produces limited confidentiality and integrity impact (C:L/I:L), and does not affect availability. The attack vector is entirely local (AV:L), making remote exploitation impossible. Linux kernel components may be involved in the underlying route manipulation, though the primary vulnerability resides in the Prisma Access Agent application logic.
Business impact
Organizations relying on Prisma Access Agent for Linux to enforce VPN-based security policies face a risk that local users could circumvent tunnel enforcement. This is particularly concerning in shared Linux server environments or cloud instances where multiple users or workloads coexist. A compromised or malicious local process could exfiltrate sensitive data outside the VPN tunnel, potentially exposing it to network monitoring or interception. However, the impact is limited to affected Linux systems; enterprises running primarily Windows or macOS endpoints face no direct risk from this issue.
Affected systems
Only Prisma Access Agent running on Linux systems is vulnerable. The scope is clearly defined: Windows, macOS, iOS, Android, and ChromeOS versions are unaffected. Organizations should inventory Linux-based Prisma Access deployments, including on-premise servers, cloud instances (AWS, Azure, GCP), and containerized environments running the agent.
Exploitability
The vulnerability requires local access and a valid user account on the target Linux system; it cannot be exploited remotely. The attack complexity is low (AC:L), meaning no special conditions or user interaction are needed once an attacker has local shell access. In environments where unauthorized local access is unlikely or where Linux systems are not shared, risk is correspondingly lower. However, in containerized environments, CI/CD pipelines, or multi-tenant cloud instances, the attack surface may be broader.
Remediation
Remediation requires patching Prisma Access Agent on all affected Linux systems. Consult the Palo Alto Networks security advisory for specific patch version numbers and availability timelines. Pending patches, network segmentation policies and access controls on Linux systems running Prisma Access Agent should be reviewed to minimize the number of local users with shell access. Consider restricting which accounts and processes are permitted to interact with the VPN agent configuration.
Patch guidance
Verify the availability of a patched version of Prisma Access Agent for Linux from Palo Alto Networks' official security advisory or support portal. Deploy patches in a controlled manner starting with non-production systems to validate stability. Given the MEDIUM severity and local-only attack vector, patch urgency is lower than for critical remote vulnerabilities, but should still be prioritized within standard patch cycles for systems handling sensitive data. Document the patching timeline for compliance and audit purposes.
Detection guidance
Monitor for unauthorized modifications to network routing tables on systems running Prisma Access Agent for Linux. Use host-based intrusion detection (HIDS) to flag unexpected route additions or changes to the system's IP forwarding configuration. Endpoint detection and response (EDR) tools should alert on processes attempting to interact with VPN agent APIs or configuration files outside of normal agent operations. Log review should focus on local privilege escalation attempts and unusual process spawning from unprivileged user accounts. Network monitoring can identify traffic egressing from systems running the agent outside the VPN tunnel, though this requires baseline traffic profiling.
Why prioritize this
Although the CVSS score is MEDIUM (4.4), this vulnerability warrants timely but measured attention. It requires local access, limiting the threat actor pool to those already on the system or able to compromise a local account. However, the nature of the exploit—bypassing VPN tunnel enforcement—has high operational significance in security-conscious organizations. Prioritize patching Linux systems handling high-value data or operating in less-trusted environments (cloud-hosted, shared infrastructure) ahead of isolated, tightly controlled systems.
Risk score, explained
The CVSS 3.1 score of 4.4 reflects a MEDIUM severity driven by three key factors: (1) Attack Vector is Local (AV:L), immediately eliminating remote exploitability; (2) Privileges Required (PR:L) means an attacker must already have a user account, limiting the pool of potential attackers; (3) Impact is limited to Confidentiality (C:L) and Integrity (I:L) with no Availability impact (A:N), meaning the attack does not cause denial of service. The bypass of security controls is significant, but contained by the high barrier to initial access. Organizations with strict local access controls will face lower practical risk than those with permissive user provisioning.
Frequently asked questions
Does this vulnerability affect our Windows or macOS endpoints running Prisma Access?
No. This vulnerability is specific to Linux deployments of Prisma Access Agent. Windows, macOS, iOS, Android, and ChromeOS versions are not affected.
Can this be exploited remotely, or do I need physical access to the machine?
This vulnerability requires local access to the affected Linux system and a valid user account. Remote exploitation is not possible. An attacker would need to be on the system already (e.g., via a compromised account or container) or gain shell access through another vulnerability.
What does 'routing traffic outside the VPN tunnel' mean for my organization?
Normally, Prisma Access Agent enforces that all network traffic is encrypted and routed through the VPN tunnel. This vulnerability allows a local user to bypass that enforcement and send traffic directly to external networks, potentially exposing sensitive data to eavesdropping or circumventing security policies that rely on centralized VPN egress points.
Is this vulnerability currently being exploited in the wild?
This vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog, meaning there is no public evidence of active exploitation. However, the local access requirement makes it less likely to be the subject of mass exploitation compared to remote vulnerabilities.
This analysis is provided for informational purposes and reflects the vulnerability details as of the publication and modification dates listed. Patch version numbers and availability should be verified directly against Palo Alto Networks' official security advisory and support channels. Organizations should conduct their own risk assessment based on their deployed Prisma Access Agent versions, Linux system inventory, and local access control policies. This vulnerability analysis does not constitute professional security advice; consult with your security team or a qualified vendor representative for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide
- CVE-2026-0271HIGHPalo Alto Networks Prisma Access Agent Linux Privilege Escalation
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2025-71315MEDIUMLinux Kernel vkms DRM Vblank Timer Denial of Service
- CVE-2026-0266MEDIUMStored XSS in Palo Alto Networks PAN-OS Web Interface
- CVE-2026-0267MEDIUMPalo Alto GlobalProtect macOS Passcode Exposure Vulnerability
- CVE-2026-0269MEDIUMPAN-OS Tunnel Traffic Memory Corruption & Firewall Reboot DoS