Cybersecurity Blog | RedLegg

Security Bulletin: PAN-OS GlobalProtect Authentication Bypass Vulnerability

Written by RedLegg's Cyber Threat Intelligence Team | 5/29/26 9:40 PM

About:

CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect Portal and Gateway deployments, as well as affected Prisma Access environments.

The vulnerability impacts deployments where GlobalProtect Portal or Gateway functionality is enabled, Authentication Override Cookies are enabled, and a vulnerable certificate configuration is present.

An attacker may exploit the vulnerability to bypass authentication protections and gain unauthorized access to affected GlobalProtect infrastructure. Palo Alto Networks reported limited exploit attempts targeting unpatched devices, and the vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Panorama and Cloud NGFW products are not affected.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

PAN-OS GlobalProtect Authentication Bypass Vulnerability
 

Identifier: CVE-2026-0257
PoC or Exploitation: Palo Alto Networks reported awareness of limited exploit attempts targeting unpatched vulnerable devices without mitigations applied. CVE-2026-0257 has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog.
CVSS Score: 7.8 (High, CVSS v4.0) 

Update / Patch:

Palo Alto Networks has released security updates addressing this vulnerability.
 
Affected versions include:
 
  • PAN-OS 12.1 versions earlier than 12.1.4-h6 and 12.1.7

  • PAN-OS 11.2 versions earlier than 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, and 11.2.12

  • PAN-OS 11.1 versions earlier than 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15

  • PAN-OS 10.2 versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6

  • Prisma Access 11.2.0 versions earlier than 11.2.7-h13

  • Prisma Access 10.2.0 versions earlier than 10.2.10-h36
 
Fixed versions include:
 
  • PAN-OS 12.1.4-h6 or later and 12.1.7 or later

  • PAN-OS 11.2.4-h17 or later, 11.2.7-h14 or later, 11.2.10-h7 or later, and 11.2.12 or later

  • PAN-OS 11.1.4-h33 or later, 11.1.6-h32 or later, 11.1.7-h6 or later, 11.1.10-h25 or later, 11.1.13-h5 or later, and 11.1.15 or later

  • PAN-OS 10.2.7-h34 or later, 10.2.10-h36 or later, 10.2.13-h21 or later, 10.2.16-h7 or later, and 10.2.18-h6 or later

  • Prisma Access 11.2.7-h13 or later

  • Prisma Access 10.2.10-h36 or later

Palo Alto Networks advisory and patch guidance:
 

 

Description:

CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect Portal and Gateway deployments as well as affected Prisma Access environments.
 
Exposure is limited to deployments where GlobalProtect Portal or Gateway functionality is enabled, Authentication Override Cookies are enabled, and a vulnerable certificate configuration is present. Devices that do not meet these requirements are not affected by exploitation of this vulnerability.
 
Panorama and Cloud NGFW products are not affected by this vulnerability.



Mitigation Recommendation:

Immediately upgrade affected PAN-OS and Prisma Access deployments to fixed versions released by Palo Alto Networks.
 
Review GlobalProtect Portal and Gateway configurations to determine whether Authentication Override Cookies are enabled.
 
Identify exposed GlobalProtect infrastructure and prioritize remediation of externally accessible systems.
 
Review authentication logs, GlobalProtect access logs, and security telemetry for signs of unauthorized access or authentication anomalies.

 
View full post