Back

CVE-2026-0257

CRITICAL CISA KEV

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.

Published: May 13, 2026 Modified: Jun 1, 2026
CWE-565

CVSS Metrics

CVSSv3
Attack Vector: NETWORK Attack Complexity: LOW Privileges Required: NONE User Interaction: NONE Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products (161)

Vendor Product Version
paloaltonetworks pan-os * < 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.8
paloaltonetworks pan-os 10.2.9
paloaltonetworks pan-os 10.2.10
paloaltonetworks pan-os 10.2.10
paloaltonetworks pan-os 10.2.10
paloaltonetworks pan-os 10.2.10
paloaltonetworks pan-os 10.2.10

…and 141 more

GitHub Security Advisory GHSA-jqxw-84hx-6qj5

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto...

References (2)

Risk Scores

CVSS Score 9.1 / 10
EPSS Score 36.34%

Top 3% most likely to be exploited

Threat Score 77.3 / 100

CISA Known Exploited

Date Added: 2026-05-29
Due Date: 2026-06-01
Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Data Sources

NVD CISA KEV EPSS GitHub