Skip to content
Threat Feed
medium threat exploited

CVE-2026-0241: Trust Protection Foundation Authorization Bypass Vulnerabilities

CVE-2026-0241 describes multiple incorrect authorization vulnerabilities in Palo Alto Networks Trust Protection Foundation that allow attackers to bypass access controls and perform unauthorized actions on restricted resources.

CVE-2026-0241 describes a set of authorization bypass vulnerabilities affecting Palo Alto Networks Trust Protection Foundation. An attacker exploiting these vulnerabilities could potentially bypass access controls and perform unauthorized actions on restricted resources. The affected versions include 25.3.0 before 25.3.3, 25.1.0 before 25.1.8, 24.3.0 before 24.3.6, and 24.1.0 before 24.1.13. Palo Alto Networks internally discovered these vulnerabilities. There is currently no evidence of active exploitation in the wild. Successful exploitation could lead to unauthorized data access or modification within the Trust Protection Foundation.

Attack Chain

  1. The attacker identifies a vulnerable instance of Trust Protection Foundation (versions 25.3.0 < 25.3.3, 25.1.0 < 25.1.8, 24.3.0 < 24.3.6, or 24.1.0 < 24.1.13).
  2. The attacker crafts a request to a restricted resource, exploiting the incorrect authorization check (CWE-754).
  3. The Trust Protection Foundation instance fails to properly validate the attacker’s permissions due to the authorization bypass.
  4. The attacker gains unauthorized access to the restricted resource (CAPEC-122).
  5. The attacker performs unauthorized actions, such as viewing sensitive data.
  6. The attacker may modify restricted configurations or data within the Trust Protection Foundation.

Impact

Successful exploitation of CVE-2026-0241 allows attackers to bypass intended access controls within Palo Alto Networks Trust Protection Foundation. This can lead to unauthorized data access, modification, or other actions depending on the specific resource targeted. Palo Alto Networks is not aware of any malicious exploitation of this issue.

Recommendation

  • Upgrade Trust Protection Foundation to the fixed versions: 25.3.3, 25.1.8, 24.3.6, or 24.1.13 as detailed in the advisory.
  • Monitor network traffic for suspicious activity targeting Trust Protection Foundation instances that may indicate exploitation attempts of CVE-2026-0241.

Detection coverage 2

Detect CVE-2026-0241 Exploitation Attempt - Unauthorized Resource Access

medium

Detects potential exploitation attempts of CVE-2026-0241 by monitoring for access to restricted resources without proper authorization in Palo Alto Networks Trust Protection Foundation. This rule looks for HTTP 403 or similar errors for protected resources from unexpected source IPs

sigma tactics: defense_evasion techniques: T1068 sources: webserver

Detect CVE-2026-0241 Exploitation Attempt - Unauthorized Data Modification

medium

Detects potential exploitation attempts of CVE-2026-0241 by monitoring for unauthorized data modification attempts in Palo Alto Networks Trust Protection Foundation. This rule specifically looks for abnormal HTTP POST requests to sensitive endpoints.

sigma tactics: privilege_escalation techniques: T1068 sources: webserver

Detection queries are available on the platform. Get full rules →