{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-0274","assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","state":"PUBLISHED","assignerShortName":"palo_alto","dateReserved":"2025-11-03T20:44:33.634Z","datePublished":"2026-06-10T21:02:26.497Z","dateUpdated":"2026-06-12T03:55:32.986Z"},"containers":{"cna":{"providerMetadata":{"orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto","dateUpdated":"2026-06-10T21:02:26.497Z"},"title":"Cortex XSOAR: Improper Validation of Credentials in CommvaultSecurityIQ integration","datePublic":"2026-06-10T16:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-1390","description":"CWE-1390 Weak Authentication","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-475","descriptions":[{"lang":"en","value":"CAPEC-475 Signature Spoofing by Improper Validation"}]}],"affected":[{"vendor":"Palo Alto Networks","product":"Cortex XSIAM CommvaultSecurityIQ Marketplace","versions":[{"status":"affected","version":"1.1.0","lessThan":"1.2.0","changes":[{"at":"1.2.0","status":"unaffected"}],"versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"Palo Alto Networks","product":"Cortex XSOAR CommvaultSecurityIQ Marketplace","versions":[{"status":"affected","version":"1.1.0","lessThan":"1.2.0","changes":[{"at":"1.2.0","status":"unaffected"}],"versionType":"custom"}],"defaultStatus":"unaffected"}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xsiam_commvaultsecurityiq_marketplace:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.0","versionStartIncluding":"1.2.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xsoar_commvaultsecurityiq_marketplace:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.0","versionStartIncluding":"1.2.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"descriptions":[{"lang":"en","value":"An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.","supportingMedia":[{"type":"text/html","base64":false,"value":"An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources."}]}],"references":[{"url":"https://security.paloaltonetworks.com/CVE-2026-0274","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","Safety":"NOT_DEFINED","Automatable":"NO","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"RED","version":"4.0","baseSeverity":"HIGH","baseScore":8.1,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Red"}}],"configurations":[{"lang":"eng","value":"No special configuration is required to be affected by this issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"No special configuration is required to be affected by this issue."}]}],"workarounds":[{"lang":"eng","value":"No known workarounds exist for this issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"No known workarounds exist for this issue."}]}],"solutions":[{"lang":"eng","value":"VERSION                                            MINOR VERSION         SUGGESTED SOLUTION\nCortex XSIAM CommvaultSecurityIQ Marketplace 1.1   1.1.0 through 1.1.9   Upgrade to 1.2.0 or later.\nCortex XSOAR CommvaultSecurityIQ Marketplace 1.1   1.1.0 through 1.1.9   Upgrade to 1.2.0 or later.","supportingMedia":[{"type":"text/html","base64":false,"value":"<table class=\"tbl\"><thead><tr><th>Version<br></th><th>Minor Version<br></th><th>Suggested Solution<br></th></tr></thead><tbody><tr>\n                                <td>Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1<br></td>\n                                <td>1.1.0 through 1.1.9</td>\n                                <td>Upgrade to 1.2.0 or later.</td>\n                            </tr><tr>\n                                <td>Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1<br></td>\n                                <td>1.1.0 through 1.1.9</td>\n                                <td>Upgrade to 1.2.0 or later.</td>\n                            </tr></tbody></table>"}]}],"exploits":[{"lang":"en","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}]}],"timeline":[{"time":"2026-06-10T16:00:00.000Z","lang":"en","value":"Initial Publication."}],"credits":[{"lang":"en","value":"our internal security research teams","type":"finder"}],"source":{"discovery":"INTERNAL"},"x_generator":{"engine":"Vulnogram 0.1.0-dev"},"x_affectedList":["Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.0","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.1","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.2","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.3","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.4","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.5","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.6","Cortex XSIAM CommvaultSecurityIQ Marketplace 1.1.7","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.0","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.1","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.2","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.3","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.4","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.5","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.6","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.7","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.8","Cortex XSOAR CommvaultSecurityIQ Marketplace 1.1.9"]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-11T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-0274"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-12T03:55:32.986Z"}}]}}