CVE-2026-0267
Awaiting Analysis Awaiting Analysis - Queue

Information Exposure in Palo Alto Networks GlobalProtect macOS App

Vulnerability report for CVE-2026-0267, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Palo Alto Networks, Inc.

Description

An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS enables a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the GlobalProtect app. After the passcode is known, the user can perform these actions even if the GlobalProtect app configuration would not normally permit them to do so.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
palo_alto_networks globalprotect *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an information exposure issue in the Palo Alto Networks GlobalProtect app on macOS. It allows a local user to discover the passcodes that are configured to disable, disconnect, or uninstall the GlobalProtect app.

Once the passcodes are known, the user can bypass normal restrictions and perform these actions even if the app's configuration would normally prevent them.

Impact Analysis

The impact of this vulnerability is that a local user with limited privileges can gain the ability to disable, disconnect, or uninstall the GlobalProtect app by learning the passcodes.

This could lead to a loss of security controls provided by the GlobalProtect app, potentially exposing the system or network to unauthorized access or other security risks.

Compliance Impact

This vulnerability exposes configured passcodes that control disabling, disconnecting, or uninstalling the GlobalProtect app on macOS to local users. Such exposure of sensitive system information could potentially lead to unauthorized actions that weaken security controls.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of sensitive configuration data could increase the risk of unauthorized access or disruption of security mechanisms, which may impact an organization's ability to maintain compliance with data protection and security requirements.

Mitigations such as upgrading to patched versions or disabling the vulnerable setting can reduce this risk and help maintain compliance with security best practices required by such regulations.

Detection Guidance

This vulnerability involves a local user on macOS discovering configured passcodes in the Palo Alto Networks GlobalProtect app. Detection would primarily involve checking the configuration settings on the GlobalProtect Portal and the version of the GlobalProtect app installed on macOS systems.

Specifically, verify if the GlobalProtect app versions 6.3.0 through 6.3.3 or 6.2.0 through 6.2.8-h1 are installed on macOS endpoints.

Also, check the GlobalProtect Portal configuration to see if the setting "Allow User to Uninstall GlobalProtect App" is set to "Allow with Password," which enables this vulnerability.

While no explicit commands are provided in the resources, you can use macOS commands to check the installed GlobalProtect app version, such as:

  • ```bash /usr/local/bin/globalprotect version ```

To check the configuration on the GlobalProtect Portal (PAN-OS or Panorama), you would need to access the management interface and review the setting for uninstall permissions.

Mitigation Strategies

Immediate mitigation steps include either upgrading the GlobalProtect app on macOS to patched versions or changing the vulnerable configuration setting on the GlobalProtect Portal.

  • Upgrade to GlobalProtect App version 6.3.3-h1 or later if using the 6.3 branch.
  • Upgrade to GlobalProtect App version 6.2.8-h2 or later if using the 6.2 branch.
  • Alternatively, disable the vulnerable setting by changing "Allow User to Uninstall GlobalProtect App" from "Allow with Password" to "Disallow" in the GlobalProtect Portal configuration.

These steps prevent local users from discovering the passcodes that allow disabling, disconnecting, or uninstalling the GlobalProtect app.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart