How is CVE-2026-0274 exploited?

Network reachability (required): The attacker must reach the CommvaultSecurityIQ integration endpoint over the network; any host with network access to the service is in scope. Authentication (not-required): No account or credential of any privilege level is needed; the vulnerability is exploitable by a completely unauthenticated caller. Victim interaction (not-required): No user action or social engineering is required; the attacker interacts directly with the service endpoint. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific setup.

What is the impact of CVE-2026-0274?

The attacker reads protected resources within the CommvaultSecurityIQ integration, including backup job data, alert records, and any credentials or tokens stored by the integration. The attacker modifies protected resources, allowing them to alter security alerts, tamper with backup job configurations, or inject false event data into XSOAR/XSIAM playbooks. Because the integration bridges Commvault telemetry into a SOAR platform, tampered data can corrupt automated incident-response decisions downstream of the integration.

Back to search

HIGHCVE-2026-0274Published 2026-06-10Modified 2026-06-12CNA palo_alto

CVE-2026-0274: Cortex XSOAR: Improper Validation of Credentials in CommvaultSecurityIQ integration

An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.

CVSS v4.0: 8.1
Severity: HIGH
Fixed in: 1.2.0
Affected Products: 2

HarborGuard Analysis

Synopsis

An improper credential validation vulnerability affects the CommvaultSecurityIQ integration for Palo Alto Networks Cortex XSOAR and Cortex XSIAM. The flaw is reachable over the network and requires no authentication, meaning any remote attacker who can reach the service can exploit it without needing an account or credentials. Successful exploitation gives the attacker full read and write access to protected resources within the integration. A patched-image rebuild at version 1.2.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the CommvaultSecurityIQ integration package.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the CVSS v4.0 vector and weights it against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at version 1.2.0 is available on HarborGuard for any environment found running an affected version (1.1.0 up to but not including 1.2.0). For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test suite against it, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the CommvaultSecurityIQ integration endpoint over the network; any host with network access to the service is in scope.
AuthenticationNot required
No account or credential of any privilege level is needed; the vulnerability is exploitable by a completely unauthenticated caller.
Victim interactionNot required
No user action or social engineering is required; the attacker interacts directly with the service endpoint.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific setup.

Blast Radius

The attacker reads protected resources within the CommvaultSecurityIQ integration, including backup job data, alert records, and any credentials or tokens stored by the integration.
The attacker modifies protected resources, allowing them to alter security alerts, tamper with backup job configurations, or inject false event data into XSOAR/XSIAM playbooks.
Because the integration bridges Commvault telemetry into a SOAR platform, tampered data can corrupt automated incident-response decisions downstream of the integration.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against customer images at ingest time, and a patched rebuild at version 1.2.0 is available for any environment where the affected CommvaultSecurityIQ integration (versions 1.1.0 through 1.1.x) is present. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the customer's triage queue with the CVSS 8.1 HIGH score and remediation instructions pointing to the 1.2.0 release. Given that this vulnerability requires no authentication and is network-reachable, teams that cannot patch immediately should consider restricting network access to the XSOAR/XSIAM integration endpoint via network policy or egress filtering as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

1.2.0

Affected packages

Palo Alto Networks / Cortex XSIAM CommvaultSecurityIQ Marketplace
< 1.2.0 (from 1.1.0)
Palo Alto Networks / Cortex XSOAR CommvaultSecurityIQ Marketplace
< 1.2.0 (from 1.1.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Red

References

security.paloaltonetworks.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available