CVE-2026-0257 is a CVSS 9.5 authentication bypass in PAN-OS GlobalProtect that allows unauthenticated attackers to forge valid session cookies using the device’s own public TLS certificate, bypassing VPN authentication entirely. Active mass exploitation is confirmed, public PoC code is circulating, and the vulnerability has been added to the CISA KEV catalog. Any organization with an internet-facing GlobalProtect portal or gateway is at immediate risk of perimeter compromise.