Description
A code injection vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to its AppleScript interface allowing a locally authenticated non-admin user to leverage this exposed Apple Event handler to send unauthorized commands to the browser.
Published: 2026-05-13
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a code injection flaw in the AppleScript interface of Palo Alto Networks Prisma Browser on macOS. An attacker who is locally authenticated but not an administrator can abuse an exposed Apple Event handler to inject arbitrary AppleScript commands. This can lead to unauthorized browser control and could provide a foothold for data disclosure or lateral movement. The weakness is classified as CWE‑94.

Affected Systems

Palo Alto Networks Prisma Browser for macOS, versions prior to 146.16.6.165, are affected. The affected versions can be identified by their CPE entry, but the product is distributed under the Palo Alto Networks brand.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity with significant impact. EPSS is not available, so the exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is local; it requires the user to be authenticated but does not require elevated privileges. Based on the description, it is inferred that the attacker would need to run a malicious AppleScript or trigger Apple Events to exercise the flaw, providing the attacker with control of the browser. Consequently, the risk is significant for any machine running an affected Prisma Browser instance with local user accounts having AppleScript access.

Generated by OpenCVE AI on May 13, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prisma Browser to version 146.16.6.165 or later as recommended by Palo Alto Networks.
  • If an upgrade is not immediately possible, disable or restrict AppleScript access to the browser, preventing Apple Events from reaching the vulnerable handler.
  • Monitor the system for anomalous AppleScript or Apple Event activity, and log any attempts to execute commands against the browser to detect potential abuse.

Generated by OpenCVE AI on May 13, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description A code injection vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to its AppleScript interface allowing a locally authenticated non-admin user to leverage this exposed Apple Event handler to send unauthorized commands to the browser.
Title Prisma Browser: Code Injection Enables Security Controls Bypass
First Time appeared Palo Alto Networks
Palo Alto Networks prisma Browser
Weaknesses CWE-94
CPEs cpe:2.3:a:palo_alto_networks:prisma_browser:*:*:*:*:*:*:*:*
Vendors & Products Palo Alto Networks
Palo Alto Networks prisma Browser
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Palo Alto Networks Prisma Browser
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-05-15T03:56:03.887Z

Reserved: 2025-11-03T20:43:57.172Z

Link: CVE-2026-0236

cve-icon Vulnrichment

Updated: 2026-05-13T18:53:38.676Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T19:16:57.183

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-0236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:00:04Z

Weaknesses