CVE-2026-0240 PUBLISHED

Trust Protection Foundation: Sensitive Information Disclosure Vulnerability

Assigner: palo_alto
Reserved: 03.11.2025 Published: 13.05.2026 Updated: 13.05.2026

An information disclosure vulnerability in Trust Protection Foundation enables an authenticated attacker to obtain sensitive information from the server's vault. Successful exploitation of this issue allows the attacker to impersonate any user within the environment and arbitrarily modify configuration settings.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber
CVSS Score: 4.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	Low
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Palo Alto Networks
Product	Trust Protection Foundation
Versions	Default: unaffected affected from 25.3.0 to 25.3.3 (excl.) affected from 25.1.0 to 25.1.8 (excl.) affected from 24.3.0 to 24.3.6 (excl.) affected from 24.1.0 to 24.1.13 (excl.)

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue. other

References

https://security.paloaltonetworks.com/CVE-2026-0240

Problem Types

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE

Impacts

CAPEC-37 Retrieve Embedded Sensitive Data