Palo Alto Networks has disclosed a critical PAN-OS vulnerability, tracked as CVE-2026-0300, affecting the User-ID Authentication Portal, also known as the Captive Portal. The flaw is a buffer overflow vulnerability that can allow an unauthenticated attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls.
Palo Alto has rated the vulnerability as Critical, with a CVSS 4.0 score of 9.3. Exploitation has already been observed in the wild, targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet.
Technical Details
CVE-2026-0300 affects the User-ID Authentication Portal service in PAN-OS. By sending specially crafted packets to a vulnerable portal, an unauthenticated attacker may be able to trigger a buffer overflow and execute code on the firewall with root-level privileges.
The vulnerability only applies where the affected PAN-OS firewall is configured to use the User-ID Authentication Portal. Risk is significantly higher when the portal is reachable from the internet or other untrusted networks. Palo Alto notes that the severity is reduced where portal access is restricted to trusted internal IP addresses.
Affected Versions
The vulnerability affects PA-Series and VM-Series firewalls running vulnerable PAN-OS versions where the User-ID Authentication Portal is enabled.
Affected branches include:
| PAN-OS Branch | Affected Versions |
| PAN-OS 12.1 | Versions below 12.1.4-h5 and 12.1.7 |
| PAN-OS 11.2 | Versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12 |
| PAN-OS 11.1 | Versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15 |
| PAN-OS 10.2 | Versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6 |
Palo Alto Networks states that Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.
Impact
Successful exploitation could give an attacker root-level code execution on an affected firewall. This is a high-impact scenario because firewalls sit at critical network boundaries and often have visibility into, or control over, sensitive traffic flows.
A compromised firewall could potentially be abused for traffic inspection, policy manipulation, persistence, reconnaissance, or as a pivot point into internal environments.
Recommended Actions
Organizations using Palo Alto PA-Series or VM-Series firewalls should immediately confirm whether the User-ID Authentication Portal / Captive Portal is enabled and whether it is externally accessible.
Administrators can review the relevant configuration under:
Device → User Identification → Authentication Portal Settings → Enable Authentication Portal
If the portal is enabled and reachable from the internet, access should be restricted immediately to trusted internal IP addresses and trusted zones only. If the portal is not required, it should be disabled until a fixed PAN-OS version is available and deployed.
Palo Alto Networks has stated that fixed versions are expected to begin releasing from 13 May 2026, with additional branch-specific fixes expected later in May. Until patches are available, exposure reduction is the primary mitigation.
Organizations should also review recent firewall activity for unusual inbound traffic, unexpected authentication activity, suspicious portal access, abnormal policy hits, configuration changes, or unexplained firewall service behavior.
Stay Safe. Stay Secure
OP Innovate Research Team
