Skip to main content

WildFire WF-500 CVE-2026-0259

| EUVDEUVD-2026-30106 MEDIUM
External Control of File Name or Path (CWE-73)
2026-05-13 palo_alto GHSA-7g39-pmpc-x999
5.0
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
5.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:59 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
5.0 (MEDIUM)
CVE Published
May 13, 2026 - 18:05 nvd
MEDIUM 5.0
CVE Published
May 13, 2026 - 18:05 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.

The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.

Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.

AnalysisAI

Authenticated file read and delete in Palo Alto Networks WildFire WF-500 and WF-500-B on-premise sandboxing appliances exposes sensitive system information and permits arbitrary file deletion by low-privileged network users. The root cause is CWE-73 (External Control of File Name or Path), where user-supplied input is insufficiently validated before being used to construct file system paths. Exploitation is constrained to appliances running in the default non-FIPS configuration mode; organizations relying solely on the WildFire Public cloud service are not impacted. No public exploit has been identified at time of analysis, consistent with EPSS at 0.05% (16th percentile) and SSVC exploitation status of 'none'.

Technical ContextAI

CWE-73 (External Control of File Name or Path) occurs when an application constructs file paths using attacker-influenced input without enforcing a trusted path boundary - enabling path traversal or direct file reference attacks. The affected products (CPE: cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*) are dedicated on-premise malware analysis sandbox appliances used in enterprise environments. The vulnerability is constrained to appliances operating in the non-FIPS configuration mode, which is the factory default; FIPS mode presumably enforces stricter access controls or different code paths that mitigate the flaw. The dual-nature impact - both read and delete - suggests the file path control is exercised in at least two distinct code paths or API endpoints within the appliance's management or analysis interface.

RemediationAI

The primary remediation is to upgrade the WF-500 or WF-500-B appliance to a patched software version released by Palo Alto Networks. Depending on the active release train, the fixed versions are: 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, or 10.2.7-h34 (for the 10.2.x branch); 11.1.13 or 11.1.10-h8 (for the 11.1.x branch); 11.2.11 or 11.2.7-h7 (for the 11.2.x branch); and 12.1.7 or 12.1.4-h5 (for the 12.1.x branch). Full vendor guidance is at https://security.paloaltonetworks.com/CVE-2026-0259. As a compensating control prior to patching, restrict management-plane and appliance interface access to trusted administrator accounts only - reducing the pool of low-privileged users who could reach the vulnerable code paths. Additionally, audit existing low-privilege user accounts on the appliance and remove unnecessary accounts; note this does not eliminate the vulnerability but reduces attack surface. Enabling FIPS mode would mitigate the vulnerability per the vendor description, but this is a significant configuration change that may affect appliance behavior and compatibility and should be tested before production deployment.

Share

CVE-2026-0259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy