What is CVE-2026-0257?
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software that lets a remote attacker forge an authentication override cookie and establish an unauthorized VPN connection. The vulnerability carries a CVSS base score of 7.8 (High). It is tracked under CWE-565, reliance on cookies without validation and integrity checking.
Exploitation is unauthenticated and requires no user interaction. The attack vector is network-based with low complexity, meaning any reachable portal or gateway in a vulnerable configuration can be targeted directly over the internet.
The practical impact is unauthorized VPN access. By presenting a forged override cookie, an attacker bypasses the normal credential check and is treated as an authenticated GlobalProtect user. Observed activity has included VPN IP assignment following cookie authentication, which places the attacker on the internal network behind the firewall.
Palo Alto Networks initially rated the issue Medium and raised it to High after confirming exploitation. The vulnerability was added to the CISA Known Exploited Vulnerabilities catalog on May 29, 2026.
What assets are affected by CVE-2026-0257?
The vulnerable component is the GlobalProtect portal and gateway in PAN-OS. Affected releases span PAN-OS 10.2, 11.1, 11.2, and 12.1, along with the corresponding Prisma Access versions. Panorama and Cloud NGFW are not impacted.
Exposure is conditional rather than universal. A device is only vulnerable when GlobalProtect portal or gateway is configured, the authentication override cookie feature is enabled, and the certificate used to encrypt and decrypt the override cookie is reused by another feature instead of being dedicated to that purpose. Devices without authentication override, or with a dedicated certificate, are not exposed to this issue.
In practice, an affected asset is an internet-facing firewall publishing a GlobalProtect VPN portal, typically on TCP/443. These appliances sit at the network edge by design, are reachable from untrusted networks, and frequently carry long-lived configurations where override cookies were enabled for user convenience and the certificate condition went unnoticed. That combination of edge placement and legacy configuration is what turns a conditional flaw into a reachable one.
What does our data show about exposure patterns?
Exposure in this set is led by Industrials at 25.3% of observed assets, with Communication Services contributing 16.4% and Energy adding 11.8%.
The concentration in Industrials is consistent with how these organizations operate. Manufacturers, engineering firms, and logistics operators run geographically distributed sites, each with its own remote-access needs, and GlobalProtect is a common way to connect field staff, plants, and partners.
Distributed deployments accumulate portals and gateways over time, and configuration choices made years ago for one site tend to persist across the estate, including override cookie settings that predate current guidance.
The remaining 46.5% sits in the Others bucket, much of it unclassified. That large unattributed share is itself a finding. Internet-facing VPN portals are often stood up for a project, a region, or an acquisition and then drift out of active inventory, which is exactly the kind of forgotten edge infrastructure where a conditional misconfiguration survives unexamined.
The cross-sector spread shows the risk driver is not any single industry but incomplete visibility into where GlobalProtect is exposed and how it is configured.
Are fixes available?
Yes. Palo Alto Networks has released fixed PAN-OS versions across all affected trains, including 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6, 11.1.15 and its hotfix releases, 11.2.12 and its hotfix releases, and 12.1.7. Prisma Access is being upgraded by the vendor according to the published customer schedule.
Defenders should note a one-time operational effect of the fix. After upgrading, a firewall configured to use an authentication override cookie regenerates that cookie using a more secure method, so GlobalProtect users must re-authenticate once even if a valid cookie is present. This is expected behavior and not a sign of failure.
Because fixed versions vary by train and hotfix level, organizations should verify the exact target release against the vendor advisory for their installed version rather than assuming a single patch applies across the estate.
Are there any other recommended actions to take?
Until patching is confirmed, defenders should:
- Inventory all internet-facing GlobalProtect portals and gateways
- Check whether authentication override cookie generation or acceptance is enabled
- Disable authentication override where it is not operationally required
- Replace any shared certificate with one dedicated to override cookies
- Monitor GlobalProtect logs for unexpected VPN sessions and anomalous source addresses
- Restrict portal and management access to trusted networks where feasible
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-0257 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
