CVE-2026-0257
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.
Panorama and Cloud NGFW are not impacted by these issues.
https://nvd.nist.gov/vuln/detail/CVE-2026-0257
Categories
CWE-565 : Reliance on Cookies without Validation and Integrity Checking
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Avoid using cookie data for a security-related decision. Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision. Add integrity checks to detect tampering. Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client. e-dating application allows admin privileges by setting the admin cookie to 1.
References
psirt@paloaltonetworks.com
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| Palo Alto Networks |
Cloud NGFW |
|
| Palo Alto Networks |
PAN-OS |
- 12.1.0 < 12.1.7, 12.1.4-h6 (with specific changes) [affected]
- 11.2.0 < 11.2.12, 11.2.10-h7, 11.2.7-h14, 11.2.4-h17 (with specific changes) [affected]
- 11.1.0 < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33 (with specific changes) [affected]
- 10.2.0 < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34 (with specific changes) [affected]
|
| Palo Alto Networks |
Prisma Access |
- 10.2.0 < 10.2.10-h36 (with specific changes) [affected]
- 11.2.0 < 11.2.7-h13 (with specific changes) [affected]
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
| cpe |
start |
end |
| Configuration 1 |
| OR |
| OR |
| cpe:2.3:a:palo_alto_networks:cloud_ngfw:all:*:*:*:*:*:*:* |
|
|
| OR |
| cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* |
>= 12.1.0 |
< 12.1.7_12.1.4-h6 |
| cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* |
>= 11.2.0 |
< 11.2.12_11.2.10-h7_11.2.7-h14_11.2.4-h17 |
| cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* |
>= 11.1.0 |
< 11.1.15_11.1.13-h5_11.1.10-h25_11.1.7-h6_11.1.6-h32_11.1.4-h33 |
| cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* |
>= 10.2.0 |
< 10.2.18-h6_10.2.16-h7_10.2.13-h21_10.2.10-h36_10.2.7-h34 |
| OR |
| cpe:2.3:a:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* |
>= 10.2.0 |
< 10.2.10-h36 |
| cpe:2.3:a:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* |
>= 11.2.0 |
< 11.2.7-h13 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 226 |
Session Credential Falsification through Manipulation
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server. |
Medium |
| 31 |
Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information. [Obtain copy of cookie] The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies. [Obtain sensitive information from cookie] The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them. [Modify cookie to subvert security controls.] The adversary may be able to modify or replace cookies to bypass security controls in the application. |
High |
| 39 |
Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation. [Enumerate information passed to client side] The attacker identifies the parameters used as part of tokens to take business or security decisions [Determine protection mechanism for opaque token] The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used. [Modify parameter/token values] Trying each parameter in turn, the attacker modifies the values [Cycle through values for each parameter.] Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server |
Medium |
MITRE
Techniques
| id |
description |
| T1539 |
Steal Web Session Cookie |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1017 |
Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
