Palo Alto Networks PAN-OS Authentication Bypass Vulnerability Exploited in the Wild
On May 29, 2026, CISA added CVE-2026-0257, a critical authentication bypass vulnerability in Palo Alto Networks’ PAN-OS and Prisma Access, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild.
The flaw resides in the "authentication override" feature a non-default setting in GlobalProtect portals and gateways that issues session cookies to authenticated users, eliminating the need for repeated logins. The vulnerability is triggered when the same certificate used to encrypt and decrypt these cookies is also employed by another feature, such as the HTTPS service of the portal or gateway.
Exploitation of this misconfiguration allows attackers to bypass authentication controls, potentially gaining unauthorized access to affected systems. The issue underscores the risks of improperly configured security features, even in enterprise-grade solutions. Organizations using PAN-OS or Prisma Access with the authentication override feature enabled are urged to review their deployments for shared certificate usage.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7466322531126284289
Palo Alto Networks TPRM report: https://www.rankiteo.com/company/palo-alto-networks
"id": "pal1780115030",
"linkid": "palo-alto-networks",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Palo Alto Networks',
'type': 'Vendor'}],
'attack_vector': 'Exploitation of misconfigured certificate usage in '
'PAN-OS/Prisma Access',
'date_detected': '2026-05-29',
'date_publicly_disclosed': '2026-05-29',
'description': 'CISA added CVE-2026-0257, a critical authentication bypass '
'vulnerability in Palo Alto Networks’ PAN-OS and Prisma '
'Access, to its Known Exploited Vulnerabilities (KEV) catalog '
'after confirming active exploitation in the wild. The flaw '
"resides in the 'authentication override' feature, a "
'non-default setting in GlobalProtect portals and gateways '
'that issues session cookies to authenticated users. The '
'vulnerability is triggered when the same certificate used to '
'encrypt and decrypt these cookies is also employed by another '
'feature, such as the HTTPS service of the portal or gateway. '
'Exploitation allows attackers to bypass authentication '
'controls, potentially gaining unauthorized access to affected '
'systems.',
'impact': {'operational_impact': 'Unauthorized access to affected systems',
'systems_affected': 'PAN-OS and Prisma Access with authentication '
'override feature enabled'},
'lessons_learned': 'The incident underscores the risks of improperly '
'configured security features, even in enterprise-grade '
'solutions.',
'post_incident_analysis': {'root_causes': 'Misconfiguration of shared '
'certificate usage in the '
'authentication override feature'},
'recommendations': 'Organizations using PAN-OS or Prisma Access with the '
'authentication override feature enabled are urged to '
'review their deployments for shared certificate usage.',
'references': [{'date_accessed': '2026-05-29',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'catalog'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA KEV catalog '
'addition'},
'title': 'Palo Alto Networks PAN-OS Authentication Bypass Vulnerability '
'Exploited in the Wild',
'type': 'Authentication Bypass',
'vulnerability_exploited': 'CVE-2026-0257'}