PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV

Suspected
Discovered May 31, 2026

CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.

0
Affected Packages
4
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
hXXps://raw[.]githubusercontent[.]com/cisagov/kev-data/develop/known_exploited_vulnerabilities[.]json
security[.]paloaltonetworks[.]com
raw[.]githubusercontent[.]com
hXXps://security[.]paloaltonetworks[.]com/CVE-2026-0257

Analysis

Executive Summary

CISA's KEV catalog version 2026.05.29 lists CVE-2026-0257 as an actively exploited PAN-OS authentication bypass with a federal due date of 2026-06-01 [raw.githubusercontent.com opens in a new tab]. Palo Alto Networks says the issue affects GlobalProtect portal and gateway deployments where authentication override cookies are enabled with a specific certificate configuration, and that limited exploit attempts have targeted unpatched systems without mitigations [security.paloaltonetworks.com opens in a new tab].

This is a VPN-edge exposure problem, not a generic PAN-OS compromise claim. Treat an exposed GlobalProtect portal or gateway on a vulnerable PAN-OS branch as a priority access-control incident because successful exploitation can establish an unauthorized VPN connection [raw.githubusercontent.com opens in a new tab] [security.paloaltonetworks.com opens in a new tab].

Key Facts

Event Id: pan-os-cve-2026-0257-globalprotect-auth-bypass

Cve: CVE-2026-0257

Vendor: Palo Alto Networks

Product: PAN-OS GlobalProtect portal and gateway

Kev Added: 2026-05-29

Kev Due: 2026-06-01

Kev Catalog Version: 2026.05.29

Cvss V4: 7.8

Exploit Maturity: attacked

Exposure Condition:

  • GlobalProtect portal or gateway configured
  • authentication override cookies enabled
  • specific certificate configuration exists

Not Impacted:

  • Panorama
  • Cloud NGFW

Evidence Assessment

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseUnauthorized GlobalProtect VPN access or session creation aligns with a vulnerable unmitigated device.VPN auth/session logs, GlobalProtect gateway logs, identity provider logs, firewall configuration, and user/session ownership evidence.Isolate the gateway path, revoke suspect sessions, rotate affected VPN credentials, preserve logs, and patch.
Presumed exposedVulnerable PAN-OS branch, GlobalProtect enabled, authentication override cookies enabled, and no mitigation or fixed release.PAN-OS version plus portal/gateway configuration export.Disable authentication override or apply a fixed version before closing exposure.
Potentially exposedPAN-OS branch or GlobalProtect usage is known, but cookie override and certificate configuration are not verified.Device inventory, running config, Panorama exports, and GlobalProtect portal/gateway settings.Run config audit and keep the asset in scope until settings are proven negative.
Not exposedFixed PAN-OS release or GlobalProtect/authentication override cookie path is absent.Version evidence and configuration evidence.Archive evidence and monitor for related authentication anomalies.

Remediation and Closure

Patch to a fixed PAN-OS release for the deployed branch, or apply Palo Alto Networks' mitigation by disabling authentication override or using a dedicated certificate for authentication override cookies [security.paloaltonetworks.com opens in a new tab]. After patching, require GlobalProtect users to re-authenticate and review active sessions because the vendor notes the fix regenerates authentication override cookies [security.paloaltonetworks.com opens in a new tab].

For exposed systems, close only after you can show the fixed version, the current GlobalProtect cookie configuration, cleared suspicious sessions, and reviewed identity-provider logs for unauthorized VPN access.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 31, 2026DiscoveryDiscovery recorded for PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV.nvd.nist.gov
May 31, 2026First seenFirst seen recorded for PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV.nvd.nist.gov
May 31, 2026DisclosureDisclosure recorded for PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV.nvd.nist.gov
May 31, 2026PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEVUnknownnvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

4 IOCs
urlhttps://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.json
domainsecurity.paloaltonetworks.com
domainraw.githubusercontent.com
urlhttps://security.paloaltonetworks.com/CVE-2026-0257

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-pan-os-cve-2026-0257-globalprotect-auth-bypass-scope"))

DOMAINS = ["raw.githubusercontent.com","security.paloaltonetworks.com"]
URLS = ["https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.json","https://security.paloaltonetworks.com/CVE-2026-0257"]

# Collect unique indicators
indicators = set()
for group in [DOMAINS, URLS]:
    for val in group:
        if val:
            indicators.add(val)

            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if "PACKAGES" in globals() and PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.
security.paloaltonetworks.comSecurity Researcher95%1CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.
GitHubSecurity Researcher95%1CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.
raw.githubusercontent.comVendor95%1CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.
PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV — Halting Problems