{"api_version":"1","generated_at":"2026-06-17T05:26:02+00:00","cve":"CVE-2026-0274","urls":{"html":"https://cve.report/CVE-2026-0274","api":"https://cve.report/api/cve/CVE-2026-0274.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-0274","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-0274"},"summary":{"title":"Cortex XSOAR: Improper Validation of Credentials in CommvaultSecurityIQ integration","description":"An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.","state":"PUBLISHED","assigner":"palo_alto","published_at":"2026-06-10 22:16:55","updated_at":"2026-06-11 15:21:30"},"problem_types":["CWE-1390","CWE-1390 CWE-1390 Weak Authentication"],"metrics":[{"version":"4.0","source":"psirt@paloaltonetworks.com","type":"Secondary","score":"8.1","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NO","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"RED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"8.1","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Red","data":{"Automatable":"NO","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.1,"baseSeverity":"HIGH","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"RED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Red","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"}}],"references":[{"url":"https://security.paloaltonetworks.com/CVE-2026-0274","name":"https://security.paloaltonetworks.com/CVE-2026-0274","refsource":"psirt@paloaltonetworks.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-0274","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0274","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XSIAM CommvaultSecurityIQ Marketplace","version":"affected 1.1.0 1.2.0 custom","platforms":[]},{"source":"CNA","vendor":"Palo Alto Networks","product":"Cortex XSOAR CommvaultSecurityIQ Marketplace","version":"affected 1.1.0 1.2.0 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-06-10T16:00:00.000Z","lang":"en","value":"Initial Publication."}],"solutions":[{"source":"CNA","title":"","value":"VERSION MINOR VERSION SUGGESTED SOLUTION\nCortex XSIAM CommvaultSecurityIQ Marketplace 1.1 1.1.0 through 1.1.9 Upgrade to 1.2.0 or later.\nCortex XSOAR CommvaultSecurityIQ Marketplace 1.1 1.1.0 through 1.1.9 Upgrade to 1.2.0 or later.","time":"","lang":"eng"}],"workarounds":[{"source":"CNA","title":"","value":"No known workarounds exist for this issue.","time":"","lang":"eng"}],"exploits":[{"source":"CNA","title":"","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue.","time":"","lang":"en"}],"credits":[{"source":"CNA","value":"our internal security research teams","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"274","cve":"CVE-2026-0274","epss":"0.003150000","percentile":"0.230190000","score_date":"2026-06-16","updated_at":"2026-06-17 00:05:45"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-0274","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-11T13:45:28.414743Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-11T13:45:39.297Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Cortex XSIAM CommvaultSecurityIQ Marketplace","vendor":"Palo Alto Networks","versions":[{"changes":[{"at":"1.2.0","status":"unaffected"}],"lessThan":"1.2.0","status":"affected","version":"1.1.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Cortex XSOAR CommvaultSecurityIQ Marketplace","vendor":"Palo Alto Networks","versions":[{"changes":[{"at":"1.2.0","status":"unaffected"}],"lessThan":"1.2.0","status":"affected","version":"1.1.0","versionType":"custom"}]}],"configurations":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"No special configuration is required to be affected by this issue."}],"value":"No special configuration is required to be affected by this issue."}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xsiam_commvaultsecurityiq_marketplace:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.0","versionStartIncluding":"1.2.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xsoar_commvaultsecurityiq_marketplace:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.0","versionStartIncluding":"1.2.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"our internal security research teams"}],"datePublic":"2026-06-10T16:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources."}],"value":"An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"impacts":[{"capecId":"CAPEC-475","descriptions":[{"lang":"en","value":"CAPEC-475 Signature Spoofing by Improper Validation"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NO","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.1,"baseSeverity":"HIGH","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"RED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Red","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1390","description":"CWE-1390 Weak Authentication","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T21:02:26.497Z","orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto"},"references":[{"tags":["vendor-advisory"],"url":"https://security.paloaltonetworks.com/CVE-2026-0274"}],"solutions":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"\n \n \n \n \n \n \n \n
Version
Minor Version
Suggested Solution
Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1
1.1.0 through 1.1.9Upgrade to 1.2.0 or later.
Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1
1.1.0 through 1.1.9Upgrade to 1.2.0 or later.
"}],"value":"VERSION MINOR VERSION SUGGESTED SOLUTION\nCortex XSIAM CommvaultSecurityIQ Marketplace 1.1 1.1.0 through 1.1.9 Upgrade to 1.2.0 or later.\nCortex XSOAR CommvaultSecurityIQ Marketplace 1.1 1.1.0 through 1.1.9 Upgrade to 1.2.0 or later."}],"source":{"discovery":"INTERNAL"},"timeline":[{"lang":"en","time":"2026-06-10T16:00:00.000Z","value":"Initial Publication."}],"title":"Cortex XSOAR: Improper Validation of Credentials in CommvaultSecurityIQ integration","workarounds":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"No known workarounds exist for this issue."}],"value":"No known workarounds exist for this issue."}],"x_affectedList":["Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.0","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.1","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.2","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.3","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.4","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.5","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.6","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.7","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.0","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.1","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.2","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.3","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.4","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.5","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.6","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.7","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.8","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.9"],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","assignerShortName":"palo_alto","cveId":"CVE-2026-0274","datePublished":"2026-06-10T21:02:26.497Z","dateReserved":"2025-11-03T20:44:33.634Z","dateUpdated":"2026-06-11T13:45:39.297Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-10 22:16:55","lastModifiedDate":"2026-06-11 15:21:30","problem_types":["CWE-1390","CWE-1390 CWE-1390 Weak Authentication"],"metrics":{"cvssMetricV40":[{"source":"psirt@paloaltonetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NO","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"RED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"274","Ordinal":"1","Title":"Cortex XSOAR: Improper Validation of Credentials in CommvaultSec","CVE":"CVE-2026-0274","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"274","Ordinal":"1","NoteData":"An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.","Type":"Description","Title":"Cortex XSOAR: Improper Validation of Credentials in CommvaultSec"}]}}}