CVE-2026-0276 (GCVE-0-2026-0276)
Vulnerability from cvelistv5 – Published: 2026-07-09 19:17 – Updated: 2026-07-11 03:55
VLAI
EPSS
VEX
Title
Cortex XDR Broker VM: Privilege Escalation (PE) Vulnerability
Summary
A privilege escalation vulnerability in Palo Alto Networks Cortex® XDR Broker VM enables a locally authenticated user to perform actions as the root user.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - — Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.paloaltonetworks.com/CVE-2026-0276 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Palo Alto Networks | Cortex XDR Broker VM |
Affected:
20.0.96 , < 31.0.58
(custom)
|
Date Public
2026-07-08 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T03:55:15.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cortex XDR Broker VM",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "31.0.58",
"status": "unaffected"
}
],
"lessThan": "31.0.58",
"status": "affected",
"version": "20.0.96",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan\u003eNo special configuration is required to be affected by this issue.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "No special configuration is required to be affected by this issue."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:cortex_xdr_broker_vm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "31.0.58",
"versionStartIncluding": "20.0.96",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Palo Alto Networks thanks Martin Rougeron for discovering and reporting this issue"
}
],
"datePublic": "2026-07-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A privilege escalation vulnerability in Palo Alto Networks Cortex\u00ae XDR Broker VM enables a locally authenticated user to perform actions as the root user."
}
],
"value": "A privilege escalation vulnerability in Palo Alto Networks Cortex\u00ae XDR Broker VM enables a locally authenticated user to perform actions as the root user."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1.1,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 \u2014 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T19:17:01.145Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2026-0276"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis issue is fixed in Cortex XDR Broker VM 31.0.58, and all later Cortex XDR Broker VM versions.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eIf automatic upgrades are enabled for Broker VM, then no action is required at this time.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eIf automatic upgrades are not enabled for Broker VM, then we recommend that you do so to ensure that you always have the latest security patches installed in your software.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "This issue is fixed in Cortex XDR Broker VM 31.0.58, and all later Cortex XDR Broker VM versions.\n\n * \n\nIf automatic upgrades are enabled for Broker VM, then no action is required at this time.\n\n\n\n\n * \n\nIf automatic upgrades are not enabled for Broker VM, then we recommend that you do so to ensure that you always have the latest security patches installed in your software."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-07-08T16:00:00.000Z",
"value": "Initial publication."
}
],
"title": "Cortex XDR Broker VM: Privilege Escalation (PE) Vulnerability",
"workarounds": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known workarounds exist for this issue."
}
],
"value": "No known workarounds exist for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2026-0276",
"datePublished": "2026-07-09T19:17:01.145Z",
"dateReserved": "2025-11-03T20:44:35.481Z",
"dateUpdated": "2026-07-11T03:55:15.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-0276",
"date": "2026-07-10",
"epss": "0.00137",
"percentile": "0.0352"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-0276\",\"sourceIdentifier\":\"psirt@paloaltonetworks.com\",\"published\":\"2026-07-09T20:16:24.670\",\"lastModified\":\"2026-07-11T05:16:31.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A privilege escalation vulnerability in Palo Alto Networks Cortex\u00ae XDR Broker VM enables a locally authenticated user to perform actions as the root user.\"}],\"affected\":[{\"source\":\"psirt@paloaltonetworks.com\",\"affectedData\":[{\"vendor\":\"Palo Alto Networks\",\"product\":\"Cortex XDR Broker VM\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"20.0.96\",\"lessThan\":\"31.0.58\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"31.0.58\",\"status\":\"unaffected\"}]}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber\",\"baseScore\":1.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NO\",\"Recovery\":\"USER\",\"valueDensity\":\"DIFFUSE\",\"vulnerabilityResponseEffort\":\"MODERATE\",\"providerUrgency\":\"AMBER\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-08T00:00:00+00:00\",\"id\":\"CVE-2026-0276\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://security.paloaltonetworks.com/CVE-2026-0276\",\"source\":\"psirt@paloaltonetworks.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0276\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-10T14:20:25.311744Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-10T14:20:28.324Z\"}}], \"cna\": {\"title\": \"Cortex XDR Broker VM: Privilege Escalation (PE) Vulnerability\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Palo Alto Networks thanks Martin Rougeron for discovering and reporting this issue\"}], \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Escalation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 1.1, \"Automatable\": \"NO\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"DIFFUSE\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"AMBER\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"MODERATE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Palo Alto Networks\", \"product\": \"Cortex XDR Broker VM\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"31.0.58\", \"status\": \"unaffected\"}], \"version\": \"20.0.96\", \"lessThan\": \"31.0.58\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"Palo Alto Networks is not aware of any malicious exploitation of this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Palo Alto Networks is not aware of any malicious exploitation of this issue.\", \"base64\": false}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-07-08T16:00:00.000Z\", \"value\": \"Initial publication.\"}], \"solutions\": [{\"lang\": \"eng\", \"value\": \"This issue is fixed in Cortex XDR Broker VM 31.0.58, and all later Cortex XDR Broker VM versions.\\n\\n * \\n\\nIf automatic upgrades are enabled for Broker VM, then no action is required at this time.\\n\\n\\n\\n\\n * \\n\\nIf automatic upgrades are not enabled for Broker VM, then we recommend that you do so to ensure that you always have the latest security patches installed in your software.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThis issue is fixed in Cortex XDR Broker VM 31.0.58, and all later Cortex XDR Broker VM versions.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eIf automatic upgrades are enabled for Broker VM, then no action is required at this time.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eIf automatic upgrades are not enabled for Broker VM, then we recommend that you do so to ensure that you always have the latest security patches installed in your software.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"datePublic\": \"2026-07-08T16:00:00.000Z\", \"references\": [{\"url\": \"https://security.paloaltonetworks.com/CVE-2026-0276\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"eng\", \"value\": \"No known workarounds exist for this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"No known workarounds exist for this issue.\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A privilege escalation vulnerability in Palo Alto Networks Cortex\\u00ae XDR Broker VM enables a locally authenticated user to perform actions as the root user.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A privilege escalation vulnerability in Palo Alto Networks Cortex\\u00ae XDR Broker VM enables a locally authenticated user to perform actions as the root user.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 \\u2014 Improper Privilege Management\"}]}], \"configurations\": [{\"lang\": \"eng\", \"value\": \"No special configuration is required to be affected by this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003cspan\u003eNo special configuration is required to be affected by this issue.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:palo_alto_networks:cortex_xdr_broker_vm:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"31.0.58\", \"versionStartIncluding\": \"20.0.96\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"d6c1279f-00f6-4ef7-9217-f89ffe703ec0\", \"shortName\": \"palo_alto\", \"dateUpdated\": \"2026-07-09T19:17:01.145Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-0276\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-11T03:55:15.768Z\", \"dateReserved\": \"2025-11-03T20:44:35.481Z\", \"assignerOrgId\": \"d6c1279f-00f6-4ef7-9217-f89ffe703ec0\", \"datePublished\": \"2026-07-09T19:17:01.145Z\", \"assignerShortName\": \"palo_alto\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…