Full Report
Palo Alto Networks security advisory (AV26-228)
Analysis Summary
# Vulnerability: Palo Alto Networks March 2026 Security Updates
## CVE Details
- **CVE ID:** CVE-2026-0231, CVE-2026-0230, PAN-SA-2026-0003
- **CVSS Score:** Varies by CVE (High/Medium)
- **CWE:** CWE-200 (Information Disclosure), CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Cortex XDR Broker VM, Cortex XDR Agent (macOS), Prisma Browser
- **Versions:**
- Cortex XDR Broker VM 30.0.0 (versions prior to 30.0.49)
- Cortex XDR Agent 8.7-CE (versions prior to 8.7.101-CE on macOS)
- Cortex XDR Agent 8.3-CE (versions prior to 8.3.102-CE on macOS)
- Prisma Browser (versions prior to 145.7.9.76)
- **Configurations:** macOS specific for XDR Agent vulnerabilities; Linux/VM environment for Broker VM.
## Vulnerability Description
This advisory covers three distinct security issues:
1. **CVE-2026-0231 (Broker VM):** A sensitive information disclosure vulnerability that could allow an attacker to gain access to data they are not authorized to view.
2. **CVE-2026-0230 (XDR Agent):** A flaw in the macOS agent that allows a user with local administrator privileges to bypass security controls and disable the XDR agent software.
3. **PAN-SA-2026-0003 (Prisma Browser):** An update addressing multiple vulnerabilities inherited from the underlying Chromium engine (March 2026 monthly update).
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild (refer to Palo Alto's primary advisory for real-time updates).
- **Complexity:** Low to Medium
- **Attack Vector:**
- CVE-2026-0231: Network/Local
- CVE-2026-0230: Local (requires Local Admin rights)
- PAN-SA-2026-0003: Network (via malicious web content)
## Impact
- **Confidentiality:** High (Disclosure of sensitive broker data/browser session info)
- **Integrity:** Medium (Disabling of security agents)
- **Availability:** Medium (Loss of endpoint protection visibility)
## Remediation
### Patches
Palo Alto Networks has released the following versions to address these flaws:
- **Cortex XDR Broker VM:** Update to version **30.0.49** or later.
- **Cortex XDR Agent (macOS):** Update to **8.7.101-CE**, **8.3.102-CE**, or later versions.
- **Prisma Browser:** Update to version **145.7.9.76** or later.
### Workarounds
- For CVE-2026-0230: Restrict local administrator privileges on macOS endpoints to only trusted personnel.
- For CVE-2026-0231: Ensure Broker VMs are placed behind appropriate network segmentation and firewalls to limit exposure.
## Detection
- **Indicators of compromise:** Monitor for "Agent Stopped" or "Agent Disabled" alerts in the XDR Management Console, particularly from macOS endpoints.
- **Detection methods:** Audit Broker VM access logs for unauthorized access patterns or unusual data retrieval processes.
## References
- [https[:]//security[.]paloaltonetworks[.]com/CVE-2026-0231]
- [https[:]//security[.]paloaltonetworks[.]com/CVE-2026-0230]
- [https[:]//security[.]paloaltonetworks[.]com/PAN-SA-2026-0003]
- [https[:]//www[.]cyber[.]gc[.]ca/en/alerts-advisories/palo-alto-networks-security-advisory-av26-228]