{"api_version":"1","generated_at":"2026-04-21T10:23:04+00:00","cve":"CVE-2026-0232","urls":{"html":"https://cve.report/CVE-2026-0232","api":"https://cve.report/api/cve/CVE-2026-0232.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-0232","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-0232"},"summary":{"title":"Cortex XDR Agent: Local Administrator can disable the agent on Windows","description":"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.","state":"PUBLISHED","assigner":"palo_alto","published_at":"2026-04-13 08:16:20","updated_at":"2026-04-13 15:01:43"},"problem_types":["CWE-15","CWE-15 CWE-15: External Control of System or Configuration Setting"],"metrics":[{"version":"4.0","source":"psirt@paloaltonetworks.com","type":"Secondary","score":"4","severity":"MEDIUM","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber","baseScore":4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"4","severity":"MEDIUM","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber","data":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":4,"baseSeverity":"MEDIUM","exploitMaturity":"UNREPORTED","privilegesRequired":"HIGH","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"MODERATE"}}],"references":[{"url":"https://security.paloaltonetworks.com/CVE-2026-0232","name":"https://security.paloaltonetworks.com/CVE-2026-0232","refsource":"psirt@paloaltonetworks.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-0232","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0232","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"unaffected 9.1.0 5.10.14 custom","platforms":[]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"unaffected 9.0 custom","platforms":[]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"unaffected 8.9 custom","platforms":[]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"unaffected 8.7-CE custom","platforms":[]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"affected 9.0 9.0.1 custom","platforms":["Windows"]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"affected 8.9 8.9.1 custom","platforms":["Windows"]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"affected 8.7-CE 8.7.101-CE custom","platforms":["Windows"]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"affected 8.3-CE 8.3-CE-CU-2120 custom","platforms":["Windows"]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XDR Agent","version":"affected 7.9-CE 7.9-CE-CU-2120 custom","platforms":["Windows"]}],"timeline":[{"source":"CNA","time":"2026-04-08T16:00:00.000Z","lang":"en","value":"Initial publication."}],"solutions":[{"source":"CNA","title":"","value":"To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\n\nWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\n\n * Cortex XDR 9.1.0 (or later)\n * Cortex XDR 9.0.1 (or later)\n * Cortex XDR 8.9.1 (or later)\n * Cortex XDR 8.7.101-CE (or later)\n\nNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability.","time":"","lang":"eng"}],"workarounds":[{"source":"CNA","title":"","value":"No known workarounds exist for this issue.","time":"","lang":"eng"}],"exploits":[{"source":"CNA","title":"","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue.","time":"","lang":"en"}],"credits":[{"source":"CNA","value":"WhatThe0xDoin","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"232","cve":"CVE-2026-0232","epss":"0.000130000","percentile":"0.021130000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:56"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-0232","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-13T13:14:26.660757Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-13T13:27:43.511Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Cortex XDR Agent","vendor":"Palo Alto Networks","versions":[{"changes":[{"at":"5.10.14","status":"unaffected"}],"lessThan":"5.10.14","status":"unaffected","version":"9.1.0","versionType":"custom"},{"status":"unaffected","version":"9.0","versionType":"custom"},{"status":"unaffected","version":"8.9","versionType":"custom"},{"status":"unaffected","version":"8.7-CE","versionType":"custom"}]},{"cpes":["cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:9.0.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.9.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:Windows:*:*"],"defaultStatus":"unaffected","platforms":["Windows"],"product":"Cortex XDR Agent","vendor":"Palo Alto Networks","versions":[{"changes":[{"at":"9.0.1","status":"unaffected"}],"lessThan":"9.0.1","status":"affected","version":"9.0","versionType":"custom"},{"changes":[{"at":"8.9.1","status":"unaffected"}],"lessThan":"8.9.1","status":"affected","version":"8.9","versionType":"custom"},{"changes":[{"at":"8.7.101-CE","status":"unaffected"}],"lessThan":"8.7.101-CE","status":"affected","version":"8.7-CE","versionType":"custom"},{"changes":[{"at":"8.3-CE","status":"unaffected"}],"lessThan":"8.3-CE-CU-2120","status":"affected","version":"8.3-CE","versionType":"custom"},{"changes":[{"at":"7.9-CE","status":"unaffected"}],"lessThan":"7.9-CE-CU-2120","status":"affected","version":"7.9-CE","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*","versionEndExcluding":"9.0.1","versionStartIncluding":"9.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*","versionEndExcluding":"8.9.1","versionStartIncluding":"8.9.0","vulnerable":true},{"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*","versionEndExcluding":"8.7.101-ce","versionStartIncluding":"8.7.101","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"WhatThe0xDoin"}],"datePublic":"2026-04-08T16:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.&nbsp;This issue may be leveraged by malware to perform malicious activity without detection."}],"value":"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"impacts":[{"capecId":"CAPEC-578","descriptions":[{"lang":"en","value":"CAPEC-578 Disable Security Software"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":4,"baseSeverity":"MEDIUM","exploitMaturity":"UNREPORTED","privilegesRequired":"HIGH","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-15","description":"CWE-15: External Control of System or Configuration Setting","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-13T07:22:48.325Z","orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto"},"references":[{"tags":["vendor-advisory"],"url":"https://security.paloaltonetworks.com/CVE-2026-0232"}],"solutions":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.</p><p>While the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:</p><ul><li>Cortex XDR 9.1.0 (or later)</li><li>Cortex XDR 9.0.1 (or later)</li><li>Cortex XDR 8.9.1 (or later)</li><li>Cortex XDR 8.7.101-CE (or later)</li></ul>Note for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability."}],"value":"To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\n\nWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\n\n * Cortex XDR 9.1.0 (or later)\n * Cortex XDR 9.0.1 (or later)\n * Cortex XDR 8.9.1 (or later)\n * Cortex XDR 8.7.101-CE (or later)\n\nNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability."}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2026-04-08T16:00:00.000Z","value":"Initial publication."}],"title":"Cortex XDR Agent: Local Administrator can disable the agent on Windows","workarounds":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"No known workarounds exist for this issue."}],"value":"No known workarounds exist for this issue."}],"x_affectedList":["Cortex XDR Agent 9.0.0","Cortex XDR Agent 8.9.0","Cortex XDR Agent 8.7-CE"],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","assignerShortName":"palo_alto","cveId":"CVE-2026-0232","datePublished":"2026-04-13T07:22:48.325Z","dateReserved":"2025-11-03T20:43:53.493Z","dateUpdated":"2026-04-13T13:27:43.511Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-13 08:16:20","lastModifiedDate":"2026-04-13 15:01:43","problem_types":["CWE-15","CWE-15 CWE-15: External Control of System or Configuration Setting"],"metrics":{"cvssMetricV40":[{"source":"psirt@paloaltonetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber","baseScore":4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"232","Ordinal":"1","Title":"Cortex XDR Agent: Local Administrator can disable the agent on W","CVE":"CVE-2026-0232","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"232","Ordinal":"1","NoteData":"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.","Type":"Description","Title":"Cortex XDR Agent: Local Administrator can disable the agent on W"}]}}}