Skip to main content

GlobalProtect App CVE-2026-0249

| EUVDEUVD-2026-30100 MEDIUM
Improper Certificate Validation (CWE-295)
2026-05-13 palo_alto GHSA-h3p8-5g8q-vm3h
4.9
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:04 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
4.9 (MEDIUM)
CVE Published
May 13, 2026 - 18:32 nvd
MEDIUM 4.9

DescriptionCVE.org

Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect™ app enables an attacker to intercept encrypted communications and potentially compromise the endpoint. This can enable a local non-administrative operating system user or an attacker on the same subnet to redirect traffic to an unauthorized server and facilitate the installation of malicious software.

The GlobalProtect app on Linux, Windows, iOS and GlobalProtect UWP app are not affected.

AnalysisAI

Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.

Technical ContextAI

CWE-295 (Improper Certificate Validation) describes a failure to adequately verify X.509 certificates during TLS handshakes, allowing a forged or unauthorized certificate to be accepted as legitimate. GlobalProtect is Palo Alto Networks' VPN client used to establish secure tunnels to Prisma Access or PAN-OS gateways. The affected CPE is cpe:2.3:a:palo_alto_networks:globalprotect_app across multiple release trains (6.0, 6.1, 6.2, 6.3). Because the app fails to properly validate the server certificate during tunnel establishment or update processes, an attacker who can intercept network traffic - via ARP spoofing, rogue Wi-Fi, or similar adjacent-network techniques - can present a fraudulent certificate that the app accepts, decrypting or manipulating the encrypted channel. The CVSS 4.0 AT:P (attack target prerequisites exist) component reflects the platform-specificity of the flaw: Linux, Windows, iOS, and the UWP variant are explicitly confirmed unaffected, leaving macOS and Android as the vulnerable deployment targets.

RemediationAI

The primary fix is to upgrade GlobalProtect App on macOS and Android endpoints to the patched releases identified by Palo Alto Networks: 6.0.13 or 6.0.14, 6.1.13, 6.2.8-h10, or 6.3.3-h9, depending on the deployed release train. Refer to the vendor advisory at https://security.paloaltonetworks.com/CVE-2026-0249 for exact upgrade instructions and release notes. While patches are being deployed, organizations can reduce exposure by restricting GlobalProtect macOS and Android clients to trusted network segments where adjacent-network interception is not feasible - for example, enforcing VPN initiation only from wired corporate LANs or known Wi-Fi SSIDs with 802.1X authentication. Instructing users to avoid connecting GlobalProtect from untrusted networks (public Wi-Fi, hotel networks) as a temporary policy measure is a low-impact compensating control; however, this conflicts with the primary use case of remote-worker VPN access and is not a sustainable mitigation. Certificate pinning or gateway-side mutual TLS enforcement may provide partial defense but is subject to the same client-side validation flaw. Upgrade remains the only reliable remediation.

Share

CVE-2026-0249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy