This issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. To check if authentication cookies are enabled follow the steps below:
On the Portal:
1. Navigate to Network > GlobalProtect > Portals in the management interface.
2. Click on your Portal Name and go to the Agent tab.
3. Click on your Agent Configuration profile.
4. Go to the Authentication tab.
5. Generate cookie for authentication override or Accept cookie for authentication override options are checked.
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.
Panorama and Cloud NGFW are not impacted by these issues.
Palo Alto Networks is not aware of any malicious exploitation of these issues.
"}],"value":"Palo Alto Networks is not aware of any malicious exploitation of these issues."}],"impacts":[{"capecId":"CAPEC-114","descriptions":[{"lang":"en","value":"CAPEC-114 Authentication Abuse"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NO","Recovery":"AUTOMATIC","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":4.7,"baseSeverity":"MEDIUM","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/AU:N/R:A/V:D/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-565","description":"CWE-565 Reliance on Cookies without Validation and Integrity Checking","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-13T18:15:10.172Z","orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto"},"references":[{"tags":["vendor-advisory"],"url":"https://security.paloaltonetworks.com/CVE-2026-0257"}],"solutions":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW All | No action needed. | |
| PAN-OS 12.1 | \n 12.1.5 through 12.1.6 | \nUpgrade to 12.1.7 or later. | \n
| \n | 12.1.2 through 12.1.4-h* | \nUpgrade to 12.1.4-h6 or 12.1.7 or later. | \n
| PAN-OS 11.2 | \n 11.2.11 or later | \nUpgrade to 11.2.12 or later. | \n
| \n | 11.2.8 through 11.2.10-h* | \nUpgrade to 11.2.10-h7 or 11.2.12 or later. | \n
| \n | 11.2.5 through 11.2.7-h* | \nUpgrade to 11.2.7-h14 or 11.2.12 or later. | \n
| \n | 11.2.0 through 11.2.4-h* | \nUpgrade to 11.2.4-h17 or 11.2.12 or later. | \n
| PAN-OS 11.1 | \n 11.1.14 or later | \nUpgrade to 11.1.15 or later. | \n
| \n | 11.1.11 through 11.1.13-h* | \nUpgrade to 11.1.13-h5 or 11.1.15 or later. | \n
| \n | 11.1.8 through 11.1.10-h* | \nUpgrade to 11.1.10-h25 or 11.1.15 or later. | \n
| \n | 11.1.7 through 11.1.7-h* | \nUpgrade to 11.1.7-h6 or 11.1.15 or later. | \n
| \n | 11.1.5 through 11.1.6-h* | \nUpgrade to 11.1.6-h32 or 11.1.15 or later. | \n
| \n | 11.1.0 through 11.1.4-h* | \nUpgrade to 11.1.4-h33 or 11.1.15 or later. | \n
| PAN-OS 10.2 | \n 10.2.17 through 10.2.18-h* | \nUpgrade to 10.2.18 or 10.2.18-h6 or later. | \n
| \n | 10.2.14 through 10.2.16-h* | \nUpgrade to 10.2.16-h7 or 10.2.18 or later. | \n
| \n | 10.2.11 through 10.2.13-h* | \nUpgrade to 10.2.13-h21 or 10.2.18 or later. | \n
| \n | 10.2.8 through 10.2.10-h* | \nUpgrade to 10.2.10-h36 or 10.2.18 or later. | \n
| \n | 10.2.0 through 10.2.7-h* | \nUpgrade to 10.2.7-h34 or 10.2.18 or later. | \n
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access 10.2 | \n 10.2.0 through 10.2.10-h* | \nUpgrade to 10.2.10-h36 or later. | \n
| Prisma Access 11.2 | \n 11.2.0 through 11.2.7-h* | \nUpgrade to 11.2.7-h13 or later. | \n
Note: With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today.
"}],"value":"VERSION MINOR VERSION SUGGESTED SOLUTION\nCloud NGFW All No action needed.\nPAN-OS 12.1 12.1.5 through 12.1.6 Upgrade to 12.1.7 or later.\n 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h6 or 12.1.7 or later.\nPAN-OS 11.2 11.2.11 or later Upgrade to 11.2.12 or later.\n 11.2.8 through 11.2.10-h* Upgrade to 11.2.10-h7 or 11.2.12 or later.\n 11.2.5 through 11.2.7-h* Upgrade to 11.2.7-h14 or 11.2.12 or later.\n 11.2.0 through 11.2.4-h* Upgrade to 11.2.4-h17 or 11.2.12 or later.\nPAN-OS 11.1 11.1.14 or later Upgrade to 11.1.15 or later.\n 11.1.11 through 11.1.13-h* Upgrade to 11.1.13-h5 or 11.1.15 or later.\n 11.1.8 through 11.1.10-h* Upgrade to 11.1.10-h25 or 11.1.15 or later.\n 11.1.7 through 11.1.7-h* Upgrade to 11.1.7-h6 or 11.1.15 or later.\n 11.1.5 through 11.1.6-h* Upgrade to 11.1.6-h32 or 11.1.15 or later.\n 11.1.0 through 11.1.4-h* Upgrade to 11.1.4-h33 or 11.1.15 or later.\nPAN-OS 10.2 10.2.17 through 10.2.18-h* Upgrade to 10.2.18 or 10.2.18-h6 or later.\n 10.2.14 through 10.2.16-h* Upgrade to 10.2.16-h7 or 10.2.18 or later.\n 10.2.11 through 10.2.13-h* Upgrade to 10.2.13-h21 or 10.2.18 or later.\n 10.2.8 through 10.2.10-h* Upgrade to 10.2.10-h36 or 10.2.18 or later.\n 10.2.0 through 10.2.7-h* Upgrade to 10.2.7-h34 or 10.2.18 or later.\nAll older Upgrade to a supported fixed version.\nunsupported\nPAN-OS versions\nPrisma Access 10.2 10.2.0 through 10.2.10-h* Upgrade to 10.2.10-h36 or later.\nPrisma Access 11.2 11.2.0 through 11.2.7-h* Upgrade to 11.2.7-h13 or later.\n\nNote: With this fix, if the firewall is configured to use an authentication override cookie for the GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method. Therefore, GP users will need to re-authenticate after a PAN-OS upgrade, even if a valid cookie is present. This is a one time requirement. Once they re-authenticate after the upgrade, the authentication override cookie and its validity will work as they do today."}],"source":{"discovery":"INTERNAL"},"timeline":[{"lang":"en","time":"2026-05-13T16:00:00.000Z","value":"Initial publication."}],"title":"PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities","workarounds":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"Customers can mitigate the risk of this issue by taking any of the following actions: