CVE-2026-0248 MEDIUM

CVE-2026-0248: Prisma Access Agent: Improper Certificate Validation Vulnerability

Vendor Palo Alto Networks
Product Prisma Access Agent
Weakness CWE-295
Published May 13, 2026
Last update May 13, 2026

CVSS base score

6.2/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:U/AU:Y/R:A/V:D/RE:M/U:Amber

What the vulnerability does

01Description

An improper certificate validation vulnerability in the Prisma Access Agent® for Android and Chrome OS enables an attacker to perform a man-in-the-middle (MitM) attack to intercept VPN traffic. By presenting a certificate for any domain issued by a trusted Certificate Authority, the attacker can capture sensitive device information. The Prisma Access Agent on macOS, Windows, Linux and iOS are not affected.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 13, 2026 Record updated

Related vulnerabilities

04Related CVE