CVE-2026-0257 is an authentication bypass in GlobalProtect portal and gateway components affecting PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access 10.2 and 11.2. Unauthenticated remote attackers can forge authentication override cookies to establish full VPN sessions with no credentials and no user interaction. Rapid7 confirmed active intrusions beginning May 17, 2026 with a second exploitation wave on May 21.