CVE-2026-0257: PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities (Severity: HIGH)

Published May 13, 2026
·
Updated

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.

Affected Software

196 affected componentsFixes available
Palo Alto Networks PAN-OS (GlobalProtect)
Palo Alto Networks PAN-OS
Palo Alto Networks Cloud NGFW
Palo Alto Networks PAN-OS=12.1.0, =11.2.0, =11.1.0, =10.2.0
12.1.712.1.4-h611.2.1211.2.10-h711.2.7-h1411.2.4-h1711.1.1511.1.13-h511.1.10-h2511.1.7-h611.1.6-h3211.1.4-h3310.2.18-h610.2.16-h710.2.13-h2110.2.10-h3610.2.7-h34
Palo Alto Networks Prisma Access<10.2.10-h36, =10.2.0, <11.2.7-h13, =11.2.0
10.2.10-h3611.2.7-h13
Palo Alto Networks PAN-OS<10.2.7
Palo Alto Networks PAN-OS=10.2.7
Palo Alto Networks PAN-OS=10.2.7-h1
Palo Alto Networks PAN-OS=10.2.7-h12
Palo Alto Networks PAN-OS=10.2.7-h16
Palo Alto Networks PAN-OS=10.2.7-h18
Palo Alto Networks PAN-OS=10.2.7-h19
Palo Alto Networks PAN-OS=10.2.7-h21
Palo Alto Networks PAN-OS=10.2.7-h24
Palo Alto Networks PAN-OS=10.2.7-h3
Palo Alto Networks PAN-OS=10.2.7-h32
Palo Alto Networks PAN-OS=10.2.7-h6
Palo Alto Networks PAN-OS=10.2.7-h8
Palo Alto Networks PAN-OS=10.2.8
Palo Alto Networks PAN-OS=10.2.9
Palo Alto Networks PAN-OS=10.2.10
Palo Alto Networks PAN-OS=10.2.10-h10
Palo Alto Networks PAN-OS=10.2.10-h12
Palo Alto Networks PAN-OS=10.2.10-h14
Palo Alto Networks PAN-OS=10.2.10-h17
Palo Alto Networks PAN-OS=10.2.10-h18
Palo Alto Networks PAN-OS=10.2.10-h2
Palo Alto Networks PAN-OS=10.2.10-h21
Palo Alto Networks PAN-OS=10.2.10-h27
Palo Alto Networks PAN-OS=10.2.10-h3
Palo Alto Networks PAN-OS=10.2.10-h30
Palo Alto Networks PAN-OS=10.2.10-h31
Palo Alto Networks PAN-OS=10.2.10-h4
Palo Alto Networks PAN-OS=10.2.10-h5
Palo Alto Networks PAN-OS=10.2.10-h7
Palo Alto Networks PAN-OS=10.2.10-h9
Palo Alto Networks PAN-OS=10.2.11
Palo Alto Networks PAN-OS=10.2.12
Palo Alto Networks PAN-OS=10.2.13
Palo Alto Networks PAN-OS=10.2.13-h1
Palo Alto Networks PAN-OS=10.2.13-h10
Palo Alto Networks PAN-OS=10.2.13-h16
Palo Alto Networks PAN-OS=10.2.13-h18
Palo Alto Networks PAN-OS=10.2.13-h2
Palo Alto Networks PAN-OS=10.2.13-h3
Palo Alto Networks PAN-OS=10.2.13-h4
Palo Alto Networks PAN-OS=10.2.13-h5
Palo Alto Networks PAN-OS=10.2.13-h7
Palo Alto Networks PAN-OS=10.2.14
Palo Alto Networks PAN-OS=10.2.15
Palo Alto Networks PAN-OS=10.2.16
Palo Alto Networks PAN-OS=10.2.16-h1
Palo Alto Networks PAN-OS=10.2.16-h4
Palo Alto Networks PAN-OS=10.2.16-h6
Palo Alto Networks PAN-OS=10.2.17
Palo Alto Networks PAN-OS=10.2.18
Palo Alto Networks PAN-OS=10.2.18-h1
Palo Alto Networks PAN-OS=10.2.18-h5
Palo Alto Networks PAN-OS=11.1.0
Palo Alto Networks PAN-OS=11.1.1
Palo Alto Networks PAN-OS=11.1.2
Palo Alto Networks PAN-OS=11.1.3
Palo Alto Networks PAN-OS=11.1.4
Palo Alto Networks PAN-OS=11.1.4-h1
Palo Alto Networks PAN-OS=11.1.4-h13
Palo Alto Networks PAN-OS=11.1.4-h15
Palo Alto Networks PAN-OS=11.1.4-h16
Palo Alto Networks PAN-OS=11.1.4-h17
Palo Alto Networks PAN-OS=11.1.4-h18
Palo Alto Networks PAN-OS=11.1.4-h25
Palo Alto Networks PAN-OS=11.1.4-h27
Palo Alto Networks PAN-OS=11.1.4-h32
Palo Alto Networks PAN-OS=11.1.4-h4
Palo Alto Networks PAN-OS=11.1.4-h7
Palo Alto Networks PAN-OS=11.1.4-h9
Palo Alto Networks PAN-OS=11.1.5
Palo Alto Networks PAN-OS=11.1.6
Palo Alto Networks PAN-OS=11.1.6-h1
Palo Alto Networks PAN-OS=11.1.6-h10
Palo Alto Networks PAN-OS=11.1.6-h14
Palo Alto Networks PAN-OS=11.1.6-h17
Palo Alto Networks PAN-OS=11.1.6-h19
Palo Alto Networks PAN-OS=11.1.6-h2
Palo Alto Networks PAN-OS=11.1.6-h20
Palo Alto Networks PAN-OS=11.1.6-h21
Palo Alto Networks PAN-OS=11.1.6-h22
Palo Alto Networks PAN-OS=11.1.6-h23
Palo Alto Networks PAN-OS=11.1.6-h25
Palo Alto Networks PAN-OS=11.1.6-h29
Palo Alto Networks PAN-OS=11.1.6-h3
Palo Alto Networks PAN-OS=11.1.6-h4
Palo Alto Networks PAN-OS=11.1.6-h5
Palo Alto Networks PAN-OS=11.1.6-h6
Palo Alto Networks PAN-OS=11.1.6-h7
Palo Alto Networks PAN-OS=11.1.7
Palo Alto Networks PAN-OS=11.1.7-h1
Palo Alto Networks PAN-OS=11.1.7-h2
Palo Alto Networks PAN-OS=11.1.7-h4
Palo Alto Networks PAN-OS=11.1.8
Palo Alto Networks PAN-OS=11.1.9
Palo Alto Networks PAN-OS=11.1.10
Palo Alto Networks PAN-OS=11.1.10-h1
Palo Alto Networks PAN-OS=11.1.10-h10
Palo Alto Networks PAN-OS=11.1.10-h12
Palo Alto Networks PAN-OS=11.1.10-h21
Palo Alto Networks PAN-OS=11.1.10-h4
Palo Alto Networks PAN-OS=11.1.10-h5
Palo Alto Networks PAN-OS=11.1.10-h7
Palo Alto Networks PAN-OS=11.1.10-h9
Palo Alto Networks PAN-OS=11.1.11
Palo Alto Networks PAN-OS=11.1.12
Palo Alto Networks PAN-OS=11.1.13
Palo Alto Networks PAN-OS=11.1.13-h1
Palo Alto Networks PAN-OS=11.1.13-h2
Palo Alto Networks PAN-OS=11.1.13-h3
Palo Alto Networks PAN-OS=11.1.14
Palo Alto Networks PAN-OS=11.2.0
Palo Alto Networks PAN-OS=11.2.1
Palo Alto Networks PAN-OS=11.2.2
Palo Alto Networks PAN-OS=11.2.3
Palo Alto Networks PAN-OS=11.2.4
Palo Alto Networks PAN-OS=11.2.4-h1
Palo Alto Networks PAN-OS=11.2.4-h10
Palo Alto Networks PAN-OS=11.2.4-h11
Palo Alto Networks PAN-OS=11.2.4-h12
Palo Alto Networks PAN-OS=11.2.4-h14
Palo Alto Networks PAN-OS=11.2.4-h15
Palo Alto Networks PAN-OS=11.2.4-h2
Palo Alto Networks PAN-OS=11.2.4-h4
Palo Alto Networks PAN-OS=11.2.4-h5
Palo Alto Networks PAN-OS=11.2.4-h6
Palo Alto Networks PAN-OS=11.2.4-h7
Palo Alto Networks PAN-OS=11.2.4-h8
Palo Alto Networks PAN-OS=11.2.4-h9
Palo Alto Networks PAN-OS=11.2.5
Palo Alto Networks PAN-OS=11.2.6
Palo Alto Networks PAN-OS=11.2.7
Palo Alto Networks PAN-OS=11.2.7-h1
Palo Alto Networks PAN-OS=11.2.7-h10
Palo Alto Networks PAN-OS=11.2.7-h11
Palo Alto Networks PAN-OS=11.2.7-h12
Palo Alto Networks PAN-OS=11.2.7-h13
Palo Alto Networks PAN-OS=11.2.7-h2
Palo Alto Networks PAN-OS=11.2.7-h3
Palo Alto Networks PAN-OS=11.2.7-h4
Palo Alto Networks PAN-OS=11.2.7-h7
Palo Alto Networks PAN-OS=11.2.7-h8
Palo Alto Networks PAN-OS=11.2.8
Palo Alto Networks PAN-OS=11.2.9
Palo Alto Networks PAN-OS=11.2.10
Palo Alto Networks PAN-OS=11.2.10-h1
Palo Alto Networks PAN-OS=11.2.10-h2
Palo Alto Networks PAN-OS=11.2.10-h3
Palo Alto Networks PAN-OS=11.2.10-h4
Palo Alto Networks PAN-OS=11.2.10-h5
Palo Alto Networks PAN-OS=11.2.10-h6
Palo Alto Networks PAN-OS=11.2.11
Palo Alto Networks PAN-OS=12.1.2
Palo Alto Networks PAN-OS=12.1.3
Palo Alto Networks PAN-OS=12.1.4
Palo Alto Networks PAN-OS=12.1.4-h2
Palo Alto Networks PAN-OS=12.1.4-h3
Palo Alto Networks PAN-OS=12.1.4-h5
Palo Alto Networks PAN-OS=12.1.5
Palo Alto Networks PAN-OS=12.1.6
All of the following
Palo Alto Networks Prisma Access
Any of the following
Palo Alto Networks PAN-OS>=10.2.0<10.2.10
Palo Alto Networks PAN-OS>=11.2.0<11.2.7
Palo Alto Networks PAN-OS=10.2.10
Palo Alto Networks PAN-OS=10.2.10-h10
Palo Alto Networks PAN-OS=10.2.10-h12
Palo Alto Networks PAN-OS=10.2.10-h14
Palo Alto Networks PAN-OS=10.2.10-h17
Palo Alto Networks PAN-OS=10.2.10-h18
Palo Alto Networks PAN-OS=10.2.10-h2
Palo Alto Networks PAN-OS=10.2.10-h21
Palo Alto Networks PAN-OS=10.2.10-h27
Palo Alto Networks PAN-OS=10.2.10-h3
Palo Alto Networks PAN-OS=10.2.10-h30
Palo Alto Networks PAN-OS=10.2.10-h31
Palo Alto Networks PAN-OS=10.2.10-h4
Palo Alto Networks PAN-OS=10.2.10-h5
Palo Alto Networks PAN-OS=10.2.10-h7
Palo Alto Networks PAN-OS=10.2.10-h9
Palo Alto Networks PAN-OS=11.2.7
Palo Alto Networks PAN-OS=11.2.7-h1
Palo Alto Networks PAN-OS=11.2.7-h10
Palo Alto Networks PAN-OS=11.2.7-h11
Palo Alto Networks PAN-OS=11.2.7-h12
Palo Alto Networks PAN-OS=11.2.7-h2
Palo Alto Networks PAN-OS=11.2.7-h3
Palo Alto Networks PAN-OS=11.2.7-h4
Palo Alto Networks PAN-OS=11.2.7-h7
Palo Alto Networks PAN-OS=11.2.7-h8
All of the following
Siemens Ruggedcom Ape1808 Firmware
Siemens Ruggedcom Ape1808

Remediation

Mitigation

Customers can mitigate the risk of this issue by taking any of the following actions: * Use a dedicated certificate for Authentication Override cookies: Generate a new certificate exclusively for authentication override cookies and store it securely. Do not reuse the portal or gateway certificate, and do not share this certificate with other features or users. * Disable Authentication Override: Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration.

Information

VERSION MINOR VERSION SUGGESTED SOLUTION Cloud NGFW All No action needed. PAN-OS 12.1 12.1.5 through 12.1.6 Upgrade to 12.1.7 or later. 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h6 or 12.1.7 or later. PAN-OS 11.2 11.2.11 or later Upgrade to 11.2.12 or later. 11.2.8 through 11.2.10-h* Upgrade to 11.2.10-h7 or 11.2.12 or later. 11.2.5 through 11.2.7-h* Upgrade to 11.2.7-h14 or 11.2.12 or later. 11.2.0 through 11.2.4-h* Upgrade to 11.2.4-h17 or 11.2.12 or later. PAN-OS 11.1 11.1.14 or later Upgrade to 11.1.15 or later. 11.1.11 through 11.1.13-h* Upgrade to 11.1.13-h5 or 11.1.15 or later. 11.1.8 through 11.1.10-h* Upgrade to 11.1.10-h25 or 11.1.15 or later. 11.1.7 through 11.1.7-h* Upgrade to 11.1.7-h6 or 11.1.15 or later. 11.1.5 through 11.1.6-h* Upgrade to 11.1.6-h32 or 11.1.15 or later. 11.1.0 through 11.1.4-h* Upgrade to 11.1.4-h33 or 11.1.15 or later. PAN-OS 10.2 10.2.17 through 10.2.18-h* Upgrade to 10.2.18 or 10.2.18-h6 or later. 10.2.14 through 10.2.16-h* Upgrade to 10.2.16-h7 or 10.2.18-h6 or later. 10.2.11 through 10.2.13-h* Upgrade to 10.2.13-h21 or 10.2.18-h6 or later. 10.2.8 through 10.2.10-h* Upgrade to 10.2.10-h36 or 10.2.18-h6 or later. 10.2.0 through 10.2.7-h* Upgrade to 10.2.7-h34 or 10.2.18-h6 or later. All older   Upgrade to a supported fixed version. unsupported PAN-OS versions Prisma Access 10.2 10.2.0 through 10.2.10-h* Upgrade to 10.2.10-h36 or later. Prisma Access 11.2 11.2.0 through 11.2.7-h* Upgrade to 11.2.7-h13 or later. Note: With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today.

Information

Note: With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today.

Information

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Event History

May 13, 2026
Advisory Published
via Palo Alto Networks·04:00 PM
Known Exploited
via Palo Alto Networks·04:00 PM
Data Sourced
via Palo Alto Networks·04:00 PM
RemedyDescriptionSeverityWeaknessAffected Software
CVE Published
via MITRE·06:15 PM
Data Sourced
via MITRE·06:15 PM
RemedyDescriptionWeakness
Data Sourced
via NVD·07:17 PM
DescriptionSeverityWeaknessAffected Software
May 29, 2026
Data Sourced
via CISA·12:00 AM
RemedyDescriptionAffected Software
May 30, 2026
News Published
via BleepingComputer·06:02 PM
News Published
via BleepingComputer·06:05 PM
Jun 1, 2026
News Published
via Dark Reading·02:35 PM
News Published
via Dark Reading·03:04 PM
Jun 3, 2026
Advisory Published
via Palo Alto Networks·05:45 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-0257?

CVE-2026-0257 has been classified with a severity level of MEDIUM.

2

What does CVE-2026-0257 exploit?

CVE-2026-0257 exploits authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software.

3

How do I fix CVE-2026-0257?

Fixing CVE-2026-0257 involves upgrading to the latest version of PAN-OS provided by Palo Alto Networks.

4

Who is affected by CVE-2026-0257?

CVE-2026-0257 affects users of Palo Alto Networks PAN-OS with GlobalProtect functionality.

5

What can attackers achieve with CVE-2026-0257?

Attackers can establish unauthorized VPN connections by exploiting the vulnerabilities outlined in CVE-2026-0257.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203