When attackers can derive valid authentication material from a server’s publicly visible TLS certificate, the traditional perimeter VPN model faces a foundational challenge that patches alone cannot fully resolve.
Palo Alto Networks published security advisory CVE-2026-0257 on May 13, 2026, disclosing a high-severity authentication bypass vulnerability in its GlobalProtect portal and gateway products. The flaw, scored 7.8 under CVSS v4.0, allows attackers to forge authentication override cookies and establish unauthorized VPN sessions without valid credentials.
The vulnerability is now under active exploitation. CISA has added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to address it by June 1, 2026.
What the Vulnerability Enables
CVE-2026-0257 stems from improper validation of authentication override cookies (CWE-565: Reliance on Cookies without Validation and Integrity Checking). When GlobalProtect’s authentication override feature is enabled, the system generates cookies that can be reverse-engineered from the server’s TLS certificate configuration.
The practical impact: an attacker who can observe the target’s publicly available TLS certificate can craft authentication cookies that the system accepts as legitimate. No stolen credentials required. No brute-force attempts logged. The attacker simply presents a forged cookie and receives a VPN tunnel into the internal network.
Affected Systems and Configuration
The vulnerability affects physical and virtual firewalls running PAN-OS across multiple version branches:
- PAN-OS 12.1 (versions below 12.1.4-h6 or 12.1.7)
- PAN-OS 11.2 (versions below 11.2.12)
- PAN-OS 11.1 (versions below 11.1.15)
- PAN-OS 10.2 (versions below 10.2.18-h6)
- Prisma Access (10.2.0 and 11.2.0, pre-patch)
Critically, the vulnerability requires a specific configuration: authentication override cookies must be enabled in the GlobalProtect portal or gateway settings. Organizations that have not enabled this feature are not exposed. Cloud NGFW and Panorama are not impacted.
Why This Matters Beyond the Patch
The structural concern for security leaders is not the vulnerability itself, which Palo Alto has patched, but what it reveals about perimeter VPN architecture. Authentication override cookies exist because organizations need seamless re-authentication for mobile workforces. The feature trades security assurance for user convenience, and CVE-2026-0257 demonstrates the cost of that trade.
When the authentication material can be derived from publicly observable infrastructure (the TLS certificate), the security boundary collapses to a single point of failure. This is precisely the scenario that zero-trust network access (ZTNA) architectures are designed to prevent: continuous verification at every resource, not a single authentication event at the perimeter.
The Disclosure-to-Exploitation Window
Palo Alto published the advisory on May 13. Rapid7’s managed detection team confirmed exploitation beginning May 17, just four days later. A second wave followed on May 21. This four-day window between disclosure and active exploitation is now the operational reality for critical VPN vulnerabilities.
For security teams running vulnerability management programs with 30-day patch cycles, this timeline is incompatible with their operational model. The attackers are not waiting.
What This Means for the Security Leader
CVE-2026-0257 is a case study in why perimeter authentication architectures carry structural risk. The immediate action is patching and disabling authentication override cookies. The strategic action is evaluating whether VPN-based remote access, where a single authentication event grants broad network access, remains acceptable for your organization’s risk posture.
Immediate Defender Actions
- Patch immediately. Upgrade to the fixed PAN-OS versions listed in Palo Alto’s advisory.
- Disable authentication override cookies if the feature is not business-critical. Uncheck “Generate cookie for authentication override” and “Accept cookie for authentication override” in portal and gateway settings.
- If override must remain enabled, generate dedicated certificates exclusively for this function, separate from HTTPS service certificates.
- Audit VPN logs for authentication events that did not correspond to legitimate user sessions, particularly between May 13 and your patch date.
- Evaluate ZTNA alternatives for remote access that enforce continuous verification rather than single-event perimeter authentication.