Prepared by: Brandon Sawyer, Vulnerability Analyst | Published: Thu 11 June 2026
Palo Alto have disclosed CVE-2026-0257 as a high severity (CVSSv4.0 - 7.8) authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect portal and gateway deployments. The flaw allows a remote, unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN sessions under specific configurations. Palo Alto Networks confirmed active exploitation attempts in the wild therefore, unpatched systems should be patched immediately as a priority.
CVE-2026-0257 affects the GlobalProtect authentication override feature, which allows users to authenticate using cookies instead of repeatedly providing credentials. The vulnerability exists because PAN-OS trusted decrypted authentication override cookies without validating their integrity or signature.
It has been reported that active exploitation may have occurred as early as 17 May 2026, targeting multiple organisations. As of 29 May 2026, this vulnerability had been added to the CISA Known Exploited Vulnerability catalogue (KEV)
Successful exploitation can enable attackers to:
| Version | Affected | Unaffected |
| PAN-OS 12.1 | < 12.1.4-h6 < 12.1.7 |
>= 12.1.4-h6 >= 12.1.7 |
| PAN-OS 11.2 | < 11.2.4-h17 < 11.2.7-h14 < 11.2.10-h7 < 11.2.12 |
>= 11.2.4-h17 >= 11.2.7-h14 >= 11.2.10-h7 >= 11.2.12 |
| PAN-OS 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 |
>= 11.1.4-h33 >= 11.1.6-h32 >= 11.1.7-h6 >= 11.1.10-h25 >= 11.1.13-h5 >= 11.1.15 ( |
| PAN-OS 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 |
>= 10.2.7-h34 >= 10.2.10-h36 >= 10.2.13-h21 >= 10.2.16-h7 >= 10.2.18-h6 |
| Prisma Access 11.2.0 | < 11.2.7-h13* | >= 11.2.7-h13* |
| Prisma Access 10.2.0 | < 10.2.10-h36* | >= 10.2.10-h36* |
* Prisma Access is being actively upgraded for all the customers as per the upgrade schedule shared with the customers.
Please note - Panorama and Cloud NGFW are NOT impacted by these issues.
A threat actor can gain unauthorized VPN access without valid credentials. Depending on network segmentation and user privileges, this may result in:
Organisations should immediately upgrade affected PAN-OS and Prisma Access deployments to fixed versions published by Palo Alto Networks (also available in table above). Where patches are not possible, Palo Alto customers can mitigate the risk with following steps:
Disable Authentication Override.
Disable:
“Generate cookie for authentication override”
“Accept cookie for authentication override” if business requirements permit
Use Dedicated Certificates.
Configure a unique certificate exclusively for authentication override cookies.
Do not reuse HTTPS portal/gateway certificates.
With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today
Cookie,MDR customers: Triskele Labs will continue tuning detections for behaviours consistent with the exploitation of CVE-2026-0257 across supported log sources.
Vulnerability Management customers: Environments are being assessed for vulnerable PAN-OS appliance versions and exposure; any findings will be communicated through priority channels