Full Report
Palo Alto Networks security advisory (AV26-331)
Analysis Summary
# Vulnerability: Palo Alto Networks April 2026 Security Advisory (AV26-331)
## CVE Details
- **CVE ID:** CVE-2026-0234, CVE-2026-0233, CVE-2026-0232 (Additional Chromium CVEs via PAN-SA-2026-0004)
- **CVSS Score:** Varies by CVE (Specific scores not detailed in summary, but involve Authentication Bypass and Security Feature Bypass)
- **CWE:** CWE-347 (Improper Verification of Cryptographic Signature), CWE-295 (Improper Certificate Validation)
## Affected Systems
- **Cortex XSOAR / XSIAM (Microsoft Teams Marketplace):** Versions 1.5.0 to 1.5.51.
- **Autonomous Digital Experience Manager (ADEM):** Versions 5.11.0 to 5.11.3.
- **Cortex XDR Agent (Windows):**
- 9.0 (prior to 9.0.1)
- 8.9 (prior to 8.9.1)
- 8.7-CE (prior to 8.7.101-CE)
- 8.3-CE (all versions)
- 7.9-CE (all versions)
- *Note: All Windows XDR vulnerabilities apply if CU-2120 is missing.*
- **Prisma Browser:** Versions prior to 145.16.12.110.
## Vulnerability Description
This advisory covers multiple flaws across the Palo Alto ecosystem:
1. **CVE-2026-0234 (Microsoft Teams Integration):** A flaw in the cryptographic signature verification within the MS Teams integration for Cortex XSOAR/XSIAM. This could allow an attacker to forge communications.
2. **CVE-2026-0233 (ADEM):** Failure to properly validate the ADEM certificate, potentially enabling Man-in-the-Middle (MitM) attacks or unauthorized data access.
3. **CVE-2026-0232 (Cortex XDR):** A logic flaw allowing a user with Local Administrator privileges on Windows to bypass anti-tampering protections and disable the XDR agent.
4. **PAN-SA-2026-0004:** A roll-up of multiple vulnerabilities affecting the underlying Chromium engine used in Prisma Browser.
## Exploitation
- **Status:** Not specified as "exploited in the wild" in the primary bulletin.
- **Complexity:**
- CVE-2026-0232: **Low** (Requires local admin).
- CVE-2026-0233/0234: **Medium** (Requires network positioning or specific integration access).
- **Attack Vector:**
- CVE-2026-0232: **Local**
- CVE-2026-0233/0234: **Network**
## Impact
- **Confidentiality:** Moderate to High (Potential interception of communications).
- **Integrity:** High (Ability to forge signatures or manipulate agent status).
- **Availability:** High (Ability to disable security monitoring on endpoints).
## Remediation
### Patches
- **Cortex XSOAR/XSIAM Teams Marketplace:** Update to version **1.5.52** or later.
- **ADEM:** Upgrade to version **5.11.4** or later.
- **Cortex XDR Agent (Windows):** Update to **9.0.1**, **8.9.1**, or **8.7.101-CE** AND ensure **CU-2120** is applied.
- **Prisma Browser:** Upgrade to version **145.16.12.110** or later.
### Workarounds
- **XDR Agent:** Ensure strict control over Local Administrator accounts to prevent unauthorized agent tampering until patches are applied.
## Detection
- **Indicators of Compromise:** Monitor for unexpected service stops of the `cyserver` or XDR processes on Windows endpoints.
- **Detection methods:** Audit MS Teams integration logs for signature verification failures. Use Palo Alto Panorama or the XDR Management Console to identify agents running vulnerable versions without the required Cumulative Update (CU-2120).
## References
- **Vendor Advisories:**
- hxxps[://]security[.]paloaltonetworks[.]com/CVE-2026-0234
- hxxps[://]security[.]paloaltonetworks[.]com/PAN-SA-2026-0004
- hxxps[://]security[.]paloaltonetworks[.]com/CVE-2026-0233
- hxxps[://]security[.]paloaltonetworks[.]com/CVE-2026-0232
- **Canadian Centre for Cyber Security:**
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/palo-alto-networks-security-advisory-av26-331