CVE-2026-0257: Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass

"A critical authentication bypass in PAN-OS GlobalProtect portal and gateway lets unauthenticated attackers establish unauthorized VPN connections, and CISA has confirmed active exploitation in the wild."

A critical authentication bypass in PAN-OS GlobalProtect portal and gateway lets unauthenticated attackers establish unauthorized VPN connections, and CISA has confirmed active exploitation in the wild.

What Is It

CVE-2026-0257 is an authentication bypass vulnerability (CWE-565: Reliance on Cookies without Validation and Integrity Checking) affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software. Per the vendor description, the flaw allows an attacker to bypass security restrictions and establish an unauthorized VPN connection. The CVE was published on 2026-05-13 by Palo Alto Networks PSIRT and last modified on 2026-05-29.

NVD assigns a CVSS 3.1 base score of 9.1 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, network-reachable, low complexity, no privileges, no user interaction, with high confidentiality and integrity impact. Palo Alto's own CVSS 4.0 score is 7.8 (HIGH) with exploit maturity rated ATTACKED and provider urgency RED.

Why It Matters

CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-05-29, confirming active exploitation. The CVSS 4.0 exploit maturity of ATTACKED corroborates in-the-wild use. Successful exploitation gives an unauthenticated remote attacker an authorized VPN session into the protected network, providing an interactive foothold behind the perimeter. Known ransomware campaign use is currently listed as Unknown by CISA.

What's Vulnerable

Product: Palo Alto Networks PAN-OS, GlobalProtect portal and gateway features.
Affected versions (per NVD CPE data): PAN-OS versions prior to 10.2.7, plus numerous 10.2.7, 10.2.8, 10.2.9, and 10.2.10 hotfix builds enumerated in the NVD configuration.
Not impacted: Panorama and Cloud NGFW, per the vendor description.

Patch Status

CISA's required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The CISA action due date for federal civilian agencies is 2026-06-01, giving roughly three days from KEV listing. Refer to the Palo Alto Networks security advisory for the current list of fixed PAN-OS releases and any interim mitigations.

Sources

Palo Alto Networks Security Advisory; https://security.paloaltonetworks.com/CVE-2026-0257
NVD, CVE-2026-0257, https://nvd.nist.gov/vuln/detail/CVE-2026-0257
CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0257