An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.
The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.
Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.
Palo Alto Networks is not aware of any malicious exploitation of this issue.
"}],"value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"impacts":[{"capecId":"CAPEC-597","descriptions":[{"lang":"en","value":"CAPEC-597 Absolute Path Traversal"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5,"baseSeverity":"MEDIUM","exploitMaturity":"UNREPORTED","privilegesRequired":"LOW","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"CWE-73 External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-13T18:05:45.862Z","orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto"},"references":[{"tags":["vendor-advisory"],"url":"https://security.paloaltonetworks.com/CVE-2026-0259"}],"solutions":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"| Version | Minor Version Range | Suggested Solution |
|---|---|---|
| WildFire WF-500 and WF-500-B 12.1 | 12.1.5 through 12.1.6 | Upgrade to 12.1.7 or later. |
| 12.1.2 through 12.1.4-h* | Upgrade to 12.1.4-h5 or 12.1.7 or later. | |
| WildFire WF-500 and WF-500-B 11.2 | 11.2.11 or later | Upgrade to 11.2.12 or later. |
| 11.2.8 through 11.2.10-h* | Upgrade to 11.2.10-h6 or 11.2.12 or later. | |
| 11.2.5 through 11.2.7-h* | Upgrade to 11.2.7-h13 or 11.2.12 or later. | |
| 11.2.0 through 11.2.4-h* | Upgrade to 11.2.4-h17 or 11.2.12 or later. | |
| WildFire WF-500 and WF-500-B 11.1 | 11.1.14 or later | Upgrade to 11.1.15 or later. |
| 11.1.11 through 11.1.13-h* | Upgrade to 11.1.13-h5 or 11.1.15 or later. | |
| 11.1.8 through 11.1.10-h* | Upgrade to 11.1.10-h25 or 11.1.15 or later. | |
| 11.1.7 through 11.1.7-h* | Upgrade to 11.1.7-h6 or 11.1.15 or later. | |
| 11.1.5 through 11.1.6-h* | Upgrade to 11.1.6-h32 or 11.1.15 or later. | |
| 11.1.0 through 11.1.4-h* | Upgrade to 11.1.4-h33 or 11.1.15 or later. | |
| WildFire WF-500 and WF-500-B 10.2 | 10.2.17 through 10.2.18-h* | Upgrade to 10.2.18-h6 or later. |
| 10.2.14 through 10.2.16-h* | Upgrade to 10.2.16-h7 or 10.2.18-h6 or later. | |
| 10.2.11 through 10.2.13-h* | Upgrade to 10.2.13-h21 or 10.2.18-h6 or later. | |
| 10.2.8 through 10.2.10-h* | Upgrade to 10.2.10-h36 or 10.2.18-h6 or later. | |
| 10.2.0 through 10.2.7-h* | Upgrade to 10.2.7-h34 or 10.2.18-h6 or later. | |
| WildFire WF-500 and WF-500-B 10.1 | All (EoL) | No fix planned. Upgrade to a supported version. |
For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (Applications and Threats content version 9100-10044 and later).
Please note that this Threat ID requires SSL Decryption.
"}],"value":"For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.\n\nCustomers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (Applications and Threats content version 9100-10044 and later).\n\n\nPlease note that this Threat ID requires SSL Decryption."}],"x_affectedList":["WildFire WF-500 and WF-500-B 12.1.0","WildFire WF-500 and WF-500-B 12.1.1","WildFire WF-500 and WF-500-B 12.1.2","WildFire WF-500 and WF-500-B 12.1.3","WildFire WF-500 and WF-500-B 11.2.0","WildFire WF-500 and WF-500-B 11.2.1","WildFire WF-500 and WF-500-B 11.2.2","WildFire WF-500 and WF-500-B 11.2.3","WildFire WF-500 and WF-500-B 11.1.0","WildFire WF-500 and WF-500-B 11.1.1","WildFire WF-500 and WF-500-B 11.1.2","WildFire WF-500 and WF-500-B 11.1.3","WildFire WF-500 and WF-500-B 10.2.0","WildFire WF-500 and WF-500-B 10.2.1","WildFire WF-500 and WF-500-B 10.2.2","WildFire WF-500 and WF-500-B 10.2.3","WildFire WF-500 and WF-500-B 10.2.4","WildFire WF-500 and WF-500-B 10.2.5","WildFire WF-500 and WF-500-B 10.2.6"],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","assignerShortName":"palo_alto","cveId":"CVE-2026-0259","datePublished":"2026-05-13T18:05:45.862Z","dateReserved":"2025-11-03T20:44:19.922Z","dateUpdated":"2026-05-13T18:57:18.638Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-13 19:17:01","lastModifiedDate":"2026-05-14 16:21:23","problem_types":["CWE-73","CWE-73 CWE-73 External Control of File Name or Path"],"metrics":{"cvssMetricV40":[{"source":"psirt@paloaltonetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber","baseScore":5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"CONCENTRATED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"259","Ordinal":"1","Title":"WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vul","CVE":"CVE-2026-0259","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"259","Ordinal":"1","NoteData":"An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.\n\n\n\nThe WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.\n\n\n\nPlease note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.","Type":"Description","Title":"WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vul"}]}}}