Description
Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the HandleSaveLogs() function of the GPA service, by creating a log file and manipulating it into a symlink that points to the targeted path; this can allow an unprivileged local user to make arbitrary root-owned files world-writable. In addition, a diagnostic collection tool (gimmelogs) running with root privileges was vulnerable to command injection from the dbstore, offering a second privilege escalation vector. (On Windows, gimmelogs does not have command injection but does allow writing a ZIP archive to an unintended location.) This affects Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5.
Published: 2026-05-08
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Guardicore Platform Agent contains a TOCTOU local privilege escalation flaw that allows any non-root user to create or modify files as root. The flaw arises because the GPA service creates an IPC socket in a world-writable /tmp location and accepts unauthenticated control messages. In the HandleSaveLogs() routine, a privileged process can be tricked into writing to a path that is replaced by a user-created symlink, turning the operation into a privileged write. Additionally, the diagnostic tool gimmelogs, which runs as root, is vulnerable to command injection via the dbstore interface, providing a second escalation route.

Affected Systems

Affected products are the Akamai Guardicore Platform Agent versions 7.0 through 7.3.1 and the Akamai Zero Trust Client versions 6.0 through 6.1.5. The vulnerability exists on Linux and macOS deployments; on Windows the gimmelogs component does not allow command injection but can write ZIP archives to unintended locations.

Risk and Exploitability

The overall severity is a CVSS score of 7.4. The EPSS score is not available, but the absence of a CISA KEV listing suggests no known widespread exploitation yet. The attack vector is strictly local; an attacker must already have an unprivileged user account on the affected host. Exploitation requires only standard user privileges to create the malicious symlink or supply a crafted dbstore payload, and then the GPA service or gimmelogs process will perform the privileged write or command execution. Because the GPA IPC socket is world‑writable and unauthenticated, the vulnerability is highly exploitable once an adversary gains local foothold.

Generated by OpenCVE AI on May 8, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Guardicore Platform Agent and Zero Trust Client updates (7.3.2+ and 6.1.6+).
  • If updating is not possible immediately, change the permissions of the GPA IPC socket in /tmp to restrict write access and place it in a non‑world‑writable directory.
  • Disable or remove the gimmelogs diagnostic tool, or configure it to run with restricted permissions and sanitize dbstore inputs to mitigate the secondary command‑injection path.

Generated by OpenCVE AI on May 8, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Guardicore Platform Agent Local Privilege Escalation via TOCTOU and Command Injection

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the HandleSaveLogs() function of the GPA service, by creating a log file and manipulating it into a symlink that points to the targeted path; this can allow an unprivileged local user to make arbitrary root-owned files world-writable. In addition, a diagnostic collection tool (gimmelogs) running with root privileges was vulnerable to command injection from the dbstore, offering a second privilege escalation vector. (On Windows, gimmelogs does not have command injection but does allow writing a ZIP archive to an unintended location.) This affects Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5.
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T15:59:43.434Z

Reserved: 2026-03-27T00:00:00.000Z

Link: CVE-2026-34354

cve-icon Vulnrichment

Updated: 2026-05-08T15:59:39.196Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:10.510

Modified: 2026-05-08T16:16:10.510

Link: CVE-2026-34354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T18:45:14Z

Weaknesses