Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database. Successful exploitation could allow an attacker to read sensitive data, modify database contents, and escalate privileges to gain full administrative control of the platform.
AnalysisAI
SQL injection in Palo Alto Networks Trust Protection Foundation exposes the platform database to arbitrary command execution by authenticated attackers on an adjacent network. Affected versions span four active release trains (24.1.x, 24.3.x, 25.1.x, 25.3.x), with successful exploitation enabling full database read/write access and privilege escalation to administrative control. No public exploit code exists and no active exploitation has been identified; EPSS sits at 0.01% and SSVC exploitation status is 'none', but the SSVC technical impact rating of 'total' underscores the severity of a successful attack.
Technical ContextAI
CWE-89 (Improper Neutralization of Special Elements used in SQL Command) describes a failure to sanitize or parameterize user-controlled input before it is passed to a SQL query engine. In Trust Protection Foundation - Palo Alto Networks' PKI and certificate lifecycle management platform (CPE: cpe:2.3:a:palo_alto_networks:trust_protection_foundation:*:*:*:*:*:*:*:*) - at least one authenticated endpoint constructs SQL queries incorporating unsanitized user input, permitting injection of arbitrary SQL syntax. The CVSS 4.0 attack vector of Adjacent (AV:A) indicates exploitation requires the attacker to share a local network, Bluetooth, or similar adjacent segment with the target, which is architecturally consistent with an enterprise certificate management platform typically deployed inside a protected network zone rather than directly internet-facing.
RemediationAI
Upgrade to the nearest fixed release for your branch: Trust Protection Foundation 24.1.13, 24.3.6, 25.1.8, or 25.3.3, per the vendor advisory at https://security.paloaltonetworks.com/CVE-2026-0242. If immediate patching is not feasible, the adjacency requirement (AV:A) provides a structural compensating control - restricting network access to the Trust Protection Foundation management interface to only authorized administrator subnets via firewall ACLs or network segmentation will prevent adjacent-but-unauthorized users from reaching the vulnerable endpoint. Additionally, enforcing the principle of least privilege by auditing which users hold even low-level authenticated access to the platform reduces the pool of potential attackers. Note that network restriction does not eliminate risk for users who legitimately require adjacent access; the side effect of tightening ACLs may impact legitimate PKI operator workflows. Removing low-privilege accounts that have no operational need to access the platform is a zero-side-effect hardening measure.
More in Trust Protection Foundation
View allIncorrect Authorization in Palo Alto Networks Trust Protection Foundation allows adjacent-network unauthenticated attack
Sensitive vault credential disclosure in Palo Alto Networks Trust Protection Foundation allows an authenticated, adjacen
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30094
GHSA-q9w8-2xxh-ccfm