Description
Incorrect Authorization vulnerabilities in Trust Protection Foundation allow attackers to bypass access controls and perform unauthorized actions on restricted resources.
Published: 2026-05-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect authorization logic within Trust Protection Foundation, allowing an attacker to bypass established access controls and carry out actions on resources that should be restricted. The primary consequence is the unauthorized use of system functionality and potential manipulation of protected data, representing a moderate impact on confidentiality and integrity but not necessarily leading to full system compromise.

Affected Systems

Both major releases of Palo Alto Networks Trust Protection Foundation—24.x and 25.x—are affected. Vulnerable versions include 24.1.0 through 24.1.12, 24.3.0 through 24.3.5, 25.1.0 through 25.1.7, and 25.3.0 through 25.3.2. The description does not specify additional hardware or firmware variants, so the listed software versions constitute the current scope.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity level. No EPSS score is supplied, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation activity to date. The attack vector is inferred to be either authenticated or local, since the flaw hinges on control over authorization checks; however, the description does not detail the exact prerequisites, so the risk assessment remains conservative. With official patches available, the likelihood of successful exploitation decreases when those updates are applied.

Generated by OpenCVE AI on May 13, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Palo Alto Networks Trust Protection Foundation to version 25.3.3 or later.
  • Upgrade Palo Alto Networks Trust Protection Foundation to version 25.1.8 or later.
  • Upgrade Palo Alto Networks Trust Protection Foundation to version 24.3.6 or later.
  • Upgrade Palo Alto Networks Trust Protection Foundation to version 24.1.13 or later.
  • Review and reinforce authorization logic in line with CWE-754 best practices, ensuring access controls reference the correct role permissions and preventing privilege escalation.

Generated by OpenCVE AI on May 13, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerabilities in Trust Protection Foundation allow attackers to bypass access controls and perform unauthorized actions on restricted resources.
Title Trust Protection Foundation: Multiple Authorization Bypass Vulnerabilities
First Time appeared Palo Alto Networks
Palo Alto Networks trust Protection Foundation
Weaknesses CWE-754
CPEs cpe:2.3:a:palo_alto_networks:trust_protection_foundation:*:*:*:*:*:*:*:*
Vendors & Products Palo Alto Networks
Palo Alto Networks trust Protection Foundation
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Palo Alto Networks Trust Protection Foundation
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-05-13T19:30:09.308Z

Reserved: 2025-11-03T20:44:02.327Z

Link: CVE-2026-0241

cve-icon Vulnrichment

Updated: 2026-05-13T19:30:03.532Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T19:16:57.973

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-0241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:49Z

Weaknesses