← back
CVE-2026-0300

PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal

CVSS 9.3 CRITICALEPSS 36.2%● KEVCWE-787
In short

A buffer overflow flaw in Palo Alto Networks PAN-OS User-ID Authentication Portal lets an unauthenticated attacker send malicious packets to execute code with root access on firewalls. This is critical because no login is required, giving attackers direct control over the device.

Technical detail

An unauthenticated buffer overflow vulnerability exists in the User-ID Authentication Portal service (CWE-787), exploitable via specially crafted network packets to achieve remote code execution with root privileges on PA-Series and VM-Series appliances. The attack requires network access to the portal but no authentication; mitigation is available by restricting portal access to trusted IP ranges per security best practices.

Summary generated and translated by AI from the official description.
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red
Affected products
Palo Alto Networks · Cloud NGFWPalo Alto Networks · PAN-OSPalo Alto Networks · Prisma Access
public PoCs found1
githubgithub.com/lu4m575/CVE-2026-03000
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cert-portal.siemens.com/productcert/html/ssa-967325.htmlhttps://security.paloaltonetworks.com/CVE-2026-0300https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300