Skip to content
Threat Feed
medium advisory

CVE-2026-0257 PAN-OS GlobalProtect Authentication Bypass Vulnerability

An authentication bypass vulnerability exists in Palo Alto Networks PAN-OS GlobalProtect portal and gateway (CVE-2026-0257) when authentication override cookies are enabled, allowing an attacker to establish an unauthorized VPN connection.

An authentication bypass vulnerability, tracked as CVE-2026-0257, affects the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software. This vulnerability allows an attacker to bypass security restrictions and establish an unauthorized VPN connection. The issue arises when authentication override cookies are enabled alongside a specific certificate configuration. Panorama and Cloud NGFW are not impacted. The vulnerability affects multiple versions of PAN-OS including 12.1, 11.2, 11.1, 10.2 and Prisma Access 11.2 and 10.2. Palo Alto Networks internally discovered this issue and has released patches to address it.

Attack Chain

  1. The attacker identifies a vulnerable PAN-OS GlobalProtect portal or gateway with authentication override cookies enabled.
  2. The attacker crafts a malicious request to the GlobalProtect portal or gateway, exploiting the authentication bypass vulnerability.
  3. The vulnerable PAN-OS software improperly validates or fails to validate the authentication override cookie due to the specific certificate configuration.
  4. The attacker bypasses authentication requirements, gaining unauthorized access to the GlobalProtect service.
  5. The attacker establishes an unauthorized VPN connection to the internal network.
  6. The attacker gains access to internal network resources.
  7. The attacker performs unauthorized actions within the network, such as data exfiltration or lateral movement.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection. This could lead to unauthorized access to sensitive internal network resources and data. Palo Alto Networks is not aware of any malicious exploitation of these issues at this time.

Recommendation

  • Upgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory to remediate CVE-2026-0257.
  • As a workaround, disable Authentication Override by unchecking the Authentication Override options in the GlobalProtect portal and gateway configuration as described in the advisory.
  • Use a dedicated certificate for Authentication Override cookies as recommended by Palo Alto Networks, and ensure it is stored securely.

Detection coverage 1

Detect CVE-2026-0257 Exploitation Attempt - GlobalProtect Authentication Bypass

low

Detects potential attempts to exploit CVE-2026-0257 by monitoring requests to GlobalProtect portal or gateway with suspicious cookie manipulation.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →