Skip to main content

PAN-OS GlobalProtect EUVD-2026-30104

| CVE-2026-0257 HIGH
Reliance on Cookies without Validation and Integrity Checking (CWE-565)
2026-05-13 palo_alto GHSA-jqxw-84hx-6qj5
Paloalto Authentication Bypass
7.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Generated
Jun 08, 2026 - 10:21 vuln.today
Added to CISA KEV
May 29, 2026 - 19:31 CISA
Severity Changed
May 29, 2026 - 18:22 NVD
MEDIUM HIGH
CVSS changed
May 29, 2026 - 18:22 NVD
4.7 (MEDIUM) 7.8 (HIGH)
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
4.7 (MEDIUM)
CVE Published
May 13, 2026 - 18:15 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 18:15 nvd
HIGH 7.8

DescriptionCVE.org

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.

Panorama and Cloud NGFW are not impacted by these issues.

Articles & Coverage 2

unit42.paloaltonetworks.com CVE-2026-0257: Active Exploitation of PAN-OS Vulnerability - IOCs and Mitigations Jun 05, 2026 POC CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass via Forged TLS Certificate Cookie May 29, 2026

AnalysisAI

Authentication bypass in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS allows remote attackers to establish unauthorized VPN connections without valid credentials. The flaw is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, though EPSS remains low at 0.05%, suggesting targeted rather than mass exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Scan for exposed GlobalProtect portals
Delivery
Craft forged authentication cookie
Exploit
Submit to portal/gateway endpoint
Install
Bypass cookie integrity validation
C2
Receive valid VPN tunnel session
Execute
Pivot into internal network
Impact
Access protected resources
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a network-reachable GlobalProtect portal or gateway on a vulnerable PAN-OS firewall or Prisma Access tenant - meaning the customer has GlobalProtect enabled and the portal/gateway interface is exposed (typically internet-facing on TCP/443), which is the default deployment pattern for remote-access VPN customers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge sharply and should be reconciled before deprioritizing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for exposed GlobalProtect portal endpoints (TCP/443) and sends a crafted HTTPS request with forged or replayed cookie values that the portal accepts without proper integrity validation. Leveraging the publicly available exploit code, the attacker obtains a valid VPN tunnel into the corporate network as if they were an enrolled user, then pivots to internal services, file shares, or domain infrastructure under the routing scope granted to GlobalProtect clients.
Remediation Vendor-released patches are available - upgrade PAN-OS to 10.2.18-h6, 11.1.15, 11.2.12, or 12.1.7 (or the corresponding hotfix on your maintenance train such as 11.1.13-h5, 11.2.10-h7, 12.1.4-h6) per the Palo Alto advisory at https://security.paloaltonetworks.com/CVE-2026-0257; Prisma Access tenants should be updated to 10.2.10-h36 or 11.2.7-h13 minimum. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all PAN-OS and Prisma Access deployments and confirm running versions against CISA KEV advisory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-0273 MEDIUM
6.1 Jun 10

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict
CVE-2026-0272 MEDIUM
6.0 Jun 10

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an
CVE-2026-0271 MEDIUM
5.9 Jun 10

Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged us
CVE-2026-0270 MEDIUM
4.8 Jun 10

Path traversal in Palo Alto Networks Cortex XSOAR engine on Linux enables arbitrary file write to the host system by an

CVE-2026-0269 MEDIUM
4.6 Jun 10

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi

Share

EUVD-2026-30104 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy