Akamai Guardicore Local Privilege Escalation Hits Linux, macOS Clients

/HIGH /CVSS 7.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycommand-injectioncwe-367
Akamai Guardicore Local Privilege Escalation Hits Linux, macOS Clients

The National Vulnerability Database has disclosed CVE-2026-34354, a high-severity local privilege escalation vulnerability affecting Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS. The GPA service, designed for endpoint security, creates an IPC socket in the world-writable /tmp directory. This setup enables a Time-of-Check to Time-of-Use (TOCTOU) vulnerability within the HandleSaveLogs() function.

An unprivileged local user can exploit this by manipulating a log file into a symlink pointing to an arbitrary path. This allows the attacker to make root-owned files world-writable. Compounding the issue, a diagnostic tool, gimmelogs, running with root privileges, was found vulnerable to command injection from its dbstore, providing a second, critical vector for privilege escalation. On Windows, gimmelogs allows writing a ZIP archive to unintended locations, though command injection is absent.

Akamai Guardicore Platform Agent versions 7.0 through 7.3.1 and Akamai Zero Trust Client versions 6.0 through 6.1.5 are affected. Defenders must prioritize patching these clients immediately. An attacker gaining root access on an endpoint protected by Guardicore fundamentally undermines the zero-trust posture, turning a security control into an attack vector.

What This Means For You

  • If your organization uses Akamai Guardicore Platform Agent or Zero Trust Client on Linux or macOS, you are exposed to local privilege escalation. Attackers can leverage this to gain root access, bypassing endpoint security. Immediately identify all affected systems running GPA 7.0-7.3.1 or Zero Trust Client 6.0-6.1.5 and apply the latest security updates provided by Akamai. Audit systems for any suspicious file modifications in `/tmp` or unexpected root-owned world-writable files.

Related ATT&CK Techniques

T1547.001 Registry Run Keys / Startup Folder Persistence T1059.004 Unix Shell Execution T1068 Exploitation for Privilege Escalation Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1068 Privilege Escalation

CVE-2026-34354 - Akamai GPA TOCTOU Privilege Escalation via /tmp IPC Socket

Sigma YAML — free preview 
title: CVE-2026-34354 - Akamai GPA TOCTOU Privilege Escalation via /tmp IPC Socket
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects the exploitation of CVE-2026-34354 by identifying processes attempting to interact with the Akamai Guardicore Platform Agent (GPA) IPC socket in /tmp, specifically targeting the HandleSaveLogs function which is vulnerable to TOCTOU attacks leading to local privilege escalation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-34354/
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - '/tmp/gpa_ipc_socket'
      CommandLine|contains:
          - 'HandleSaveLogs'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-34354 Privilege Escalation Akamai Guardicore Platform Agent (GPA) 7.0 through 7.3.1 on Linux and macOS
CVE-2026-34354 Privilege Escalation Akamai Zero Trust Client 6.0 through 6.1.5 on Linux and macOS
CVE-2026-34354 Privilege Escalation TOCTOU vulnerability in HandleSaveLogs() function of GPA service via IPC socket in /tmp
CVE-2026-34354 Command Injection Diagnostic collection tool (gimmelogs) running with root privileges via dbstore on Linux and macOS
CVE-2026-34354 Information Disclosure gimmelogs on Windows allows writing a ZIP archive to an unintended location

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma