InfoSec Briefing - May 31, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Sunday the 31st of May 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 3 articles to cover. All attribution is by the article authors. All article analysis is automated.

CISA has added a critical authentication bypass in Palo Alto Networks PAN-OS to the Known Exploited Vulnerabilities catalogue. The flaw affects GlobalProtect portal and gateway components, allowing unauthenticated attackers to establish VPN connections and gain network access. This one's actively exploited with public proof-of-concept code available, so if you're running internet-facing GlobalProtect, immediate patching and log review are in order.

Datadog Security Labs have released Pathfinding Labs, a collection of over a hundred intentionally vulnerable AWS environments for hands-on training. The project covers IAM privilege escalation, cloud misconfigurations, and multi-hop attack scenarios — essentially a gym for red teams, blue teams, and security tool builders to test their skills against realistic cloud attack vectors.

And Rapid7 Labs have disclosed a critical argument injection vulnerability in Gogs, the self-hosted Git service, that allows authenticated users to achieve remote code execution via malicious pull request branch names. The vulnerability exploits improper handling of git rebase commands and remains unpatched as of today, which is particularly relevant if you're running Gogs in any capacity — attackers can compromise servers and access all repositories.

That concludes today's briefing.

📰 Articles Covered

CVE-2026-0257 - CISA KEV

CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS software, specifically within the GlobalProtect portal and gateway components .

### Vulnerability Overview
* **Vendor:** Palo Alto Networks
* **Affected Product:** PAN-OS software (GlobalProtect portal and gateway) and Prisma Access
* **Impact:** Successful exploitation allows a remote, unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection through the GlobalProtect gateway
* **Severity:** Rated as medium severity (CVSS score: 7.8)

### Exploitation (MITRE ATT&CK T1190)
This vulnerability is being actively exploited in the wild against internet-facing applications . Attackers are leveraging the authentication bypass to gain unauthorized network access, which aligns with **T1190: Exploit Public-Facing Application** .

Active exploitation has been observed since mid-May 2026, specifically targeting appliances where specific configurations are present . While Panorama and Cloud NGFW are not impacted, organizations using affected PAN-OS versions are at risk .

### Recommended Actions for Defenders
1. **Apply Patches:** Immediately review the official Palo Alto Networks security advisory for the latest fixed versions of PAN-OS and apply the necessary updates .
2. **Monitor Logs:** Implement enhanced monitoring for unauthorized VPN connection attempts and anomalous traffic patterns originating from the GlobalProtect gateway .
3. **Review Configuration:** Verify if your specific GlobalProtect configuration is susceptible to this bypass and apply hardening controls as recommended by the vendor .
Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments - Datadog Security Labs

This precis summarizes the introduction of **Pathfinding Labs** by Datadog Security Labs, a project designed to help security professionals understand and defend against complex cloud attack vectors 【1】.

### What Happened
Datadog Security Labs launched **Pathfinding Labs**, a collection of over 100 intentionally vulnerable AWS environments 【1】. The project originated as a verification mechanism for [pathfinding.cloud](https://pathfinding.cloud), a catalog of AWS IAM privilege escalation techniques, ensuring that documented attack paths were accurate and reproducible 【1】. The scope has since expanded to include broader cloud misconfigurations and complex multi-hop attack scenarios 【1】.

### Who Is Affected
This project is intended for **security professionals**, including red teamers, blue teamers, and security tool builders 【1】. It is a resource for those responsible for securing AWS environments and validating the effectiveness of their security tooling 【1】.

### Security Implications
The project addresses the fundamental observation that while "defenders think in lists, attackers think in graphs" 【1】. By deploying these labs, organizations can:
* **Validate CSPM Effectiveness:** Test whether Cloud Security Posture Management (CSPM) tools can identify exploitable misconfigurations before they are leveraged by attackers 【1】.
* **Evaluate Graph-Based Tools:** Measure how effectively security tools reconstruct multi-step attack paths (e.g., cross-account escalation or multi-hop role chains) 【1】.
* **Improve Detection:** Provide a controlled environment to verify that security controls and detection logic function as expected against known attacker TTPs (Tactics, Techniques, and Procedures) 【1】.

### Technical Details
The project consists of three primary components:
* **Web Catalog:** A central reference ([pathfinding.cloud/labs](https://pathfinding.cloud/labs)) providing CTF-style hints and full exploitation solutions for each lab 【1】.
* **Terraform Labs:** A GitHub repository ([DataDog/pathfinding-labs](https://github.com/DataDog/pathfinding-labs)) containing the infrastructure-as-code definitions for the vulnerable environments 【1】.
* **`plabs` CLI:** A Go-based command-line tool that provides an interactive Terminal User Interface (TUI) to manage the deployment and destruction of labs, abstracting away the underlying Terraform complexity 【1】.

### What Defenders Should Know
* **Safety First:** The labs deliberately create high-risk vulnerabilities, such as administrative users, overly permissive roles, and public S3 buckets 【1】. **Never deploy these into production environments** or accounts containing sensitive data 【1】.
* **Environment Isolation:** Use a dedicated, isolated sandbox account (ideally in a separate AWS Organization) and configure billing alerts 【1】.
* **Clean Up:** Always use the `plabs destroy` command after testing to ensure all vulnerable resources are removed 【1】.
Authenticated RCE via Argument Injection in Gogs (NOT FIXED) - Rapid7

This precis summarizes the critical security vulnerability identified in Gogs, an open-source self-hosted Git service.

### What Happened
Rapid7 Labs discovered a critical argument injection vulnerability (CWE-88) in Gogs, which has been assigned a CVSSv4 score of 9.4 (Critical) 【1】. The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a specially crafted, malicious branch name 【1】. As of May 31, 2026, no patch has been released by the vendor 【1】.

### Who Is Affected
Users of the Gogs self-hosted Git service are affected. Because the exploit requires authentication, the primary risk comes from instances that allow public registration or have untrusted users with repository access 【1】.

### Security Implications
Successful exploitation results in arbitrary command execution with the privileges of the Gogs server process user 【1】. This grants an attacker the ability to:
* Compromise the entire server 【1】.
* Read all repositories on the instance, including private ones belonging to other users 【1】.
* Exfiltrate sensitive credentials, such as password hashes, API tokens, SSH keys, and 2FA secrets 【1】.
* Pivot to other network-accessible systems and modify any hosted repository code 【1】.

### Technical Details
The root cause lies in the `Merge()` function within `internal/database/pull.go`. The application passes the pull request's base branch name directly to the `git rebase` command without using a `--` separator, which is the standard POSIX convention to signal the end of command options 【1】.

An attacker can provide a branch name containing `--exec`, such as `--exec=touch${IFS}/tmp/rce_proof`. Git’s argument parser interprets this as a flag rather than a branch name 【1】. The `--exec` flag instructs Git to run the provided command via `sh -c` after each replayed commit, and the use of `${IFS}` allows the attacker to bypass Git's restrictions on spaces within branch names 【1】.

### What Defenders Should Know
Since no patch is available, administrators should implement the following mitigations to reduce risk:
* **Restrict User Registration:** Set `DISABLE_REGISTRATION = true` in the `app.ini` configuration file to prevent unauthorized users from creating accounts 【1】.
* **Restrict Repository Creation:** Set `MAX_CREATION_LIMIT = 0` in `app.ini` or via the admin panel to prevent users from creating new repositories, which is the most common attack vector 【1】.
* **Audit Rebase Settings:** While disabling "Rebase before merging" on a per-repository basis reduces the attack surface, it is not a complete defense, as users with administrative access to a repository can re-enable this setting 【1】.