Palo Alto Networks PAN-OS, GlobalProtect authentication bypass

Overview

CVE-2026-0257 is a critical (CVSS 9.1) authentication bypass in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS, the operating system that powers Palo Alto next-generation firewalls. An attacker can bypass security restrictions and establish an unauthorized GlobalProtect VPN connection, gaining a foothold that bypasses intended authentication controls. Palo Alto Networks published the advisory and NVD published the record on May 13, 2026. CISA added the CVE to its Known Exploited Vulnerabilities catalog on May 29, 2026, confirming exploitation in the wild. Panorama and Cloud NGFW are not impacted.

Technical Details

The weakness is classified as CWE-565 (reliance on cookies without validation and integrity checking). GlobalProtect's portal and gateway accept authentication-related cookies (such as authentication-override cookies) without adequately validating their integrity, allowing an attacker to bypass authentication and establish an unauthorized VPN connection. No authentication, privileges, or user interaction are required, and the attack is delivered over the network. The NVD primary (NIST) assessment is CVSS 3.1 with a base score of 9.1 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N; Palo Alto Networks, as the CNA, assigned a CVSS 4.0 base score of 7.8. Both the GlobalProtect portal and gateway are affected, while Panorama and Cloud NGFW are not.

Impact

• Unauthenticated bypass of GlobalProtect portal and gateway authentication.
• Establishment of an unauthorized VPN connection into the protected network.
• Exposure of internal resources normally gated behind VPN authentication.
• A network foothold suitable for reconnaissance and lateral movement.

Mitigation

1. Upgrade PAN-OS 10.2 to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6, or a later release on the relevant maintenance line.
2. Upgrade PAN-OS 11.1 to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15, or later.
3. Upgrade PAN-OS 11.2 to 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12, or later.
4. Upgrade PAN-OS 12.1 to 12.1.4-h6, 12.1.7, or later; Prisma Access is fixed in the 10.2.10-h36 and 11.2.7-h13 engines or later.
5. As a workaround until patched, use a dedicated certificate for authentication-override cookies and disable authentication-override options in the GlobalProtect portal and gateway configuration.

Detection

Review GlobalProtect portal and gateway logs for VPN sessions that were established without a corresponding successful authentication event, for reuse or replay of authentication-override cookies, and for connections from unexpected source addresses or from clients that do not match enrolled endpoints. Because the flaw turns on cookie integrity, pay particular attention to authentication-override cookie usage: sessions presenting these cookies that do not trace back to a legitimate prior authentication are suspicious. Correlate GlobalProtect connection logs with traffic and threat logs to identify VPN sessions that immediately pivot to internal reconnaissance, scanning, or access to sensitive resources. Confirm whether authentication override is configured and whether a dedicated cookie-signing certificate is in use, since the recommended workaround changes the expected cookie material. Verify the running PAN-OS build against the fixed versions listed in Palo Alto's advisory, as a patched build is the definitive indicator the vector is closed. Note that Panorama and Cloud NGFW are not affected, which helps scope the investigation to firewalls running the GlobalProtect portal or gateway. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026; the catalog does not currently note ransomware-campaign use, but with confirmed in-the-wild exploitation, any firewall that exposed a GlobalProtect portal or gateway while unpatched should be treated as a candidate for compromise, with VPN session review, internal-network hunting for the established foothold, and rotation of affected credentials and certificates. To operationalize this, enumerate exposure first: identify every firewall running a GlobalProtect portal or gateway, determine which were internet-facing while on an affected PAN-OS build, and prioritize those for investigation, since Panorama and Cloud NGFW are out of scope. Because the flaw abuses authentication-override cookies, inventory whether authentication override is enabled and which signing certificate is in use, and apply the dedicated-certificate workaround, since rotating that certificate invalidates previously issued override cookies and is itself a containment action. Hunt inside the network for the consequences of an unauthorized VPN session: anomalous lateral movement from VPN-assigned address pools, access to sensitive resources by sessions lacking a corresponding authentication event, and clients that do not match enrolled endpoints. Correlate VPN session start times with subsequent authentication, DNS, and east-west traffic to spot footholds that pivot immediately after connecting. Treat eradication as incomplete until the firewall is patched, override-cookie certificates are rotated, affected credentials are reset, and the internal network reachable through the VPN has been reviewed for follow-on compromise.