SB2026051910 - Multiple vulnerabilities in Palo Alto PAN-OS
Published: May 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Reliance on Cookies without Validation and Integrity Checking (CVE-ID: CVE-2026-0257)
CWE-ID: CWE-565 - Reliance on Cookies without Validation and Integrity Checking
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass security restrictions and establish an unauthorized VPN connection.
The vulnerability exists due to reliance on cookies without validation and integrity checking in the GlobalProtect portal and gateway when processing authentication override cookies. A remote attacker can send crafted authentication data to bypass security restrictions and establish an unauthorized VPN connection.
Only firewalls with the GlobalProtect portal or gateway configured are affected when authentication override cookies are enabled and a specific certificate configuration exists. Panorama and Cloud NGFW are not impacted.
2) Cross-site scripting (CVE-ID: CVE-2026-0256)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in the web interface when processing stored administrator-supplied input. A remote privileged user can store a malicious JavaScript payload to execute arbitrary script in a victim's browser.
User interaction is required for the crafted content to be viewed.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-0258)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to server-side request forgery (SSRF) in the IKEv2 certificate URL fetching functionality when processing IKEv2 certificate URL fetching. A remote attacker can cause the firewall to send network requests to unintended destinations to cause a denial of service.
This issue is applicable only to configurations with a site-to-site VPN gateway with IKEv2 configured.
4) OS Command Injection (CVE-ID: CVE-2026-0261)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands as root.
The vulnerability exists due to command injection in the PAN-OS CLI or Web UI when processing administrator-supplied input. A remote privileged user can send crafted input to execute arbitrary commands as root.
Exploitation requires access to the PAN-OS CLI or Web UI.
5) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-0262)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper check for unusual or exceptional conditions in network traffic parsing when processing specially crafted network traffic. A remote attacker can send specially crafted network traffic to cause a denial of service.
No special configuration is required to be affected by this issue. Panorama and Cloud NGFW are not impacted.
6) Out-of-bounds write (CVE-ID: CVE-2026-0263)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in IKEv2 processing when processing IKEv2 traffic. A remote attacker can send specially crafted IKEv2 packets to execute arbitrary code.
Exploitation requires IKEv2 VPN tunnels configured with Post Quantum Cryptography (PQC).
7) Heap-based buffer overflow (CVE-ID: CVE-2026-0264)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in the DNS proxy and DNS server features when processing specially crafted network traffic. A remote attacker can send specially crafted network traffic to execute arbitrary code.
This impact applies to PA-Series hardware only.
8) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-0265)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication controls.
The vulnerability exists due to improper verification of cryptographic signature in the Cloud Authentication Service (CAS) authentication mechanism when handling authentication requests on a login interface with CAS enabled. A remote attacker can send a crafted authentication request to bypass authentication controls.
The risk is higher when CAS is enabled on the management interface.
Remediation
Install update from vendor's website.
References
- https://security.paloaltonetworks.com/CVE-2026-0257
- https://security.paloaltonetworks.com/CVE-2026-0256
- https://security.paloaltonetworks.com/CVE-2026-0258
- https://security.paloaltonetworks.com/CVE-2026-0261
- https://security.paloaltonetworks.com/CVE-2026-0262
- https://security.paloaltonetworks.com/CVE-2026-0263
- https://security.paloaltonetworks.com/CVE-2026-0264
- https://security.paloaltonetworks.com/CVE-2026-0265