CVE-2026-0230 Cortex XDR Agent: Local Administrator can disable the agent on macOS
Description
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on macOS allows a local administrator to disable the agent. This issue could be leveraged by malware to perform malicious activity without detection.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent 9.1 | None on macOS | All on macOS |
| Cortex XDR Agent 9.0 | None on macOS | All on macOS |
| Cortex XDR Agent 8.9 | None on macOS | All on macOS |
| Cortex XDR Agent 8.7-CE | < 8.7.101-CE on macOS | >= 8.7.101-CE on macOS |
| Cortex XDR Agent 8.3-CE | < 8.3.102-CE on macOS | >= 8.3.102-CE on macOS |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 4.0 / CVSS-B: 6.7 (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-754: Improper Check for Unusual or Exceptional Conditions
CAPEC-578 Disable Security Software
Solution
This issue is fixed in Cortex XDR Agent 8.9.0, Cortex XDR Agent 8.7.101-CE, Cortex XDR Agent 8.3.102-CE, and all later Cortex XDR Agent versions.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.3-CE:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.3.101-CE:*:*:*:*:macOS:*:*
CPE Applicability
- cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:macOS:*:* is vulnerable from (including)8.7.101 and up to (excluding)8.7.101-ce
- ORcpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:macOS:*:* is vulnerable from (including)8.3.102 and up to (excluding)8.3.102-ce