Palo Alto Networks disclosed CVE-2026-0234, a high-severity flaw in the Microsoft Teams Marketplace integration for Cortex XSOAR and Cortex XSIAM. The vulnerability stems from improper verification of a cryptographic signature, allowing a remote, unauthenticated attacker to forge signatures and access sensitive resources without user interaction. Palo Alto rated the issue CVSS 9.2, and reporting said successful exploitation could let attackers view or modify protected data, alter security playbooks, and disrupt incident response operations.
The affected software includes Microsoft Teams Marketplace integration versions 1.5.0 through 1.5.51 for both products. Palo Alto said the issue was discovered by an external researcher identified as "quinn" and reported that there is no known in-the-wild exploitation. The company also said no workaround is available, making an upgrade to version 1.5.52 or later the required remediation for exposed deployments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Palo Alto Networks disclosed CVE-2026-0234 and released a fix by requiring customers to upgrade the Microsoft Teams integration to version 1.5.52 or later. The company rated the flaw high severity, said no workaround exists, and stated it had no evidence of in-the-wild exploitation at disclosure.
An external researcher identified an improper verification of cryptographic signature vulnerability in the Microsoft Teams Marketplace integration for Cortex XSOAR and Cortex XSIAM. The issue affects versions 1.5.0 through 1.5.51 and could allow remote, unauthenticated attackers to forge signatures and access sensitive resources.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurity.paloaltonetworks.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.