A critical buffer overflow (CVE-2026-0300, CVSS 9.8) in the PAN-OS User-ID Authentication Portal allows unauthenticated remote code execution with root privileges on affected PA-Series and VM-Series firewalls. The authoritative NVD data lists PAN-OS versions 10.2.0 through 10.2.4 as confirmed affected. As patches are not yet available, the immediate mitigation is to restrict the User-ID Authentication Portal to trusted zones or disable it entirely if not required.
Security Advisory 2026-006 Home Security Advisories Release Date: 06-05-2026 08:44:32 A A A A Critical Vulnerability in PAN-OS Download Download PDF MD5 SHA-1 SHA-256 SHA-512 Download MARKDOWN Download JSON History: 06/05/2026 --- v1.0 -- Initial publication Summary On 6 May 2026, Palo Alto published a security advisory addressing a critical vulnerability affecting PAN-OS [1]. This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges. Palo Alto observed limited exploitation of this vulnerability. It is strongly recommended updating affected appliances as soon as patches will be available, and to apply workarounds and mitigation in the meantime. Technical Details The vulnerability CVE-2026-0300 , with the CVSS score of 9.3, is a buffer overflow in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. [1] An unauthenticated attacker could execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. [1] Affected Products This issue is applicable only to PA-Series and VM-Series firewalls that are configured to use User-ID Authentication Portal. The following PAN-OS versions are affected: Versions prior to 12.1.4-h5 Versions prior to 12.1.7 Versions prior to 11.2.4-h17 Versions prior to 11.2.7-h13 Versions prior to 11.2.10-h6 Versions prior to 11.2.12 Versions prior to 11.1.4-h33 Versions prior to 11.1.6-h32 Versions prior to 11.1.7-h6 Versions prior to 11.1.10-h25 Versions prior to 11.1.13-h5 Versions prior to 11.1.15 Versions prior to 10.2.7-h34 Versions prior to 10.2.10-h36 Versions prior to 10.2.13-h21 Versions prior to 10.2.16-h7 Versions prior to 10.2.18-h6 Additional information is available in the vendor’s advisory [1]. Recommendations The patches are not available at the time of writing, but are scheduled to be released in the near future. It is recommended updating affected devices as soon as the patches will be released. Mitigation It is possible to mitigate the risk of this flaw by taking either of the following actions [1]: Restrict User-ID Authentication Portal access to only trusted zones. Disable User-ID Authentication Portal if not required. References [1] https://security.paloaltonetworks.com/CVE-2026-0300 Share this publication We got cookies We only use cookies that are necessary for the technical functioning of our website. Find out more on here . OK