{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-0257/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PAN-OS","Prisma Access"],"_cs_severities":["medium"],"_cs_tags":["authentication bypass","vpn","cve-2026-0257"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eAn authentication bypass vulnerability, tracked as CVE-2026-0257, affects the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software. This vulnerability allows an attacker to bypass security restrictions and establish an unauthorized VPN connection. The issue arises when authentication override cookies are enabled alongside a specific certificate configuration. Panorama and Cloud NGFW are not impacted. The vulnerability affects multiple versions of PAN-OS including 12.1, 11.2, 11.1, 10.2 and Prisma Access 11.2 and 10.2. Palo Alto Networks internally discovered this issue and has released patches to address it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable PAN-OS GlobalProtect portal or gateway with authentication override cookies enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the GlobalProtect portal or gateway, exploiting the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable PAN-OS software improperly validates or fails to validate the authentication override cookie due to the specific certificate configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses authentication requirements, gaining unauthorized access to the GlobalProtect service.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an unauthorized VPN connection to the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to internal network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions within the network, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection. This could lead to unauthorized access to sensitive internal network resources and data. Palo Alto Networks is not aware of any malicious exploitation of these issues at this time.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory to remediate CVE-2026-0257.\u003c/li\u003e\n\u003cli\u003eAs a workaround, disable Authentication Override by unchecking the Authentication Override options in the GlobalProtect portal and gateway configuration as described in the advisory.\u003c/li\u003e\n\u003cli\u003eUse a dedicated certificate for Authentication Override cookies as recommended by Palo Alto Networks, and ensure it is stored securely.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:08:27Z","date_published":"2026-05-13T16:08:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0257-panos-globalprotect-auth-bypass/","summary":"An authentication bypass vulnerability exists in Palo Alto Networks PAN-OS GlobalProtect portal and gateway (CVE-2026-0257) when authentication override cookies are enabled, allowing an attacker to establish an unauthorized VPN connection.","title":"CVE-2026-0257 PAN-OS GlobalProtect Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0257-panos-globalprotect-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-0257","version":"https://jsonfeed.org/version/1.1"}