CVE-2026-0257
Published: 13 May 2026
Summary
CVE-2026-0257 is a high-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS software. The flaw, tracked under CWE-565, permits an attacker to circumvent security controls and establish an unauthorized VPN connection. Panorama and Cloud NGFW deployments are explicitly not impacted.
An unauthenticated remote attacker can exploit the issue over the network without user interaction or credentials, achieving limited access that bypasses intended VPN authentication restrictions. The CVSS 4.0 score of 7.8 reflects high severity driven by network attack vector, low complexity, and subsequent impacts on confidentiality, integrity, and availability within the broader environment.
Vendor guidance is available in the Palo Alto Networks security advisory, while Siemens has published a related product certificate and CISA has added the CVE to its Known Exploited Vulnerabilities catalog. These sources collectively indicate that organizations should apply available patches or configuration mitigations without delay.
The current EPSS score of 0.5879, matching its recorded peak, combined with CISA KEV listing, signals active real-world exploitation interest following disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30104
Vulnerability details
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.
- CWE(s)
- KEV Date Added
- 29 May 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass directly enables unauthorized access to external remote services (VPN) and exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements before granting VPN session establishment, blocking the bypass that allows unauthorized GlobalProtect access.
Mandates secure authentication and authorization mechanisms for all remote access connections through the GlobalProtect portal/gateway.
Requires identification and authentication of non-organizational users before permitting VPN tunnel establishment, directly countering the unauthenticated bypass.