CVE-2026-0257
7.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:A/AU:N/R:A/V:D/RE:M/U:Red
Summary
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.
Panorama and Cloud NGFW are not impacted by these issues.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | PAN-OS | 12.1.0 < 12.1.7, 12.1.4-h6 | affected |
| Palo Alto Networks | PAN-OS | 11.2.0 < 11.2.12, 11.2.10-h7, 11.2.7-h14, 11.2.4-h17 | affected |
| Palo Alto Networks | PAN-OS | 11.1.0 < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34 | affected |
| Palo Alto Networks | Prisma Access | 10.2.0 < 10.2.10-h36 | affected |
| Palo Alto Networks | Prisma Access | 11.2.0 < 11.2.7-h13 | affected |
Weaknesses
- CWE-565: CWE-565 Reliance on Cookies without Validation and Integrity Checking
Workarounds
Customers can mitigate the risk of this issue by taking any of the following actions:
- Use a dedicated certificate for Authentication Override cookies: Generate a new certificate exclusively for authentication override cookies and store it securely. Do not reuse the portal or gateway certificate, and do not share this certificate with other features or users.
- Disable Authentication Override: Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: total
Additional References
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.