Palo Alto patches Cortex XSOAR and XSIAM Microsoft Teams integration flaw

Palo Alto Networks has patched a high-severity vulnerability in the Microsoft Teams integration for Cortex XSOAR and Cortex XSIAM. The flaw, tracked as CVE-2026-0234, stems from improper verification of a cryptographic signature and can let an unauthenticated attacker access and modify protected resources.

Palo Alto rates the issue as High severity with a base CVSS 4.0 score of 9.2, while also marking the advisory with a Highest urgency rating. The company says the bug affects Microsoft Teams Marketplace integration versions 1.5.0 through 1.5.51, and the fixed version is 1.5.52 or later.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

This matters because Cortex XSOAR and Cortex XSIAM sit close to incident response and security operations workflows. If an attacker can tamper with data or gain unauthorized access through a trusted integration, that can create risk around alert handling, investigation data, and automated response actions. That last point is an inference based on the role of these products and the access impact Palo Alto describes.

What Palo Alto says about the flaw

According to Palo Alto’s advisory, the core weakness is CWE-347, improper verification of cryptographic signature. In practical terms, the Microsoft Teams integration did not properly validate signed input, which created a path for an attacker to spoof trust and bypass normal checks.

The vendor says the attack can happen over the network, needs no user interaction, and does not require prior privileges. Palo Alto also notes that attack complexity is high and attack requirements are present, which helps explain why the company paired a high base severity score with a lower CVSS-BT score of 7.2.

Palo Alto says it is not aware of any malicious exploitation of CVE-2026-0234 at this time. Even so, the company did not publish a workaround, which makes patching the only clear remediation step in the advisory.

Affected versions and fix

The advisory lists two affected product tracks: Cortex XSOAR Microsoft Teams Marketplace and Cortex XSIAM Microsoft Teams Marketplace. In both cases, versions earlier than 1.5.52 are affected, and version 1.5.52 or newer is listed as unaffected.

Because the bug sits inside the Microsoft Teams integration rather than the broader platform as a whole, defenders should verify the installed Marketplace package version instead of assuming the base product version tells the full story. That is an operational inference based on the advisory’s product status table.

Palo Alto’s own Marketplace material also shows how this integration is meant to connect Teams into Cortex workflows, which helps explain why a trust-verification flaw here could expose sensitive resources.

CVE-2026-0234 at a glance

What admins should do now

• Check whether your environment uses the Microsoft Teams Marketplace integration in Cortex XSOAR or Cortex XSIAM.
• Upgrade the integration to version 1.5.52 or later.
• Treat this as a priority update even though Palo Alto has not seen active exploitation, because the advisory carries a Highest urgency rating and the flaw allows unauthenticated access to protected resources.
• Review recent Teams integration activity and related automation behavior for anything unusual. This is a reasonable defensive step inferred from the advisory’s access-and-modification impact.

FAQ