CVE-2026-0300
Received Received - Intake
Buffer Overflow in Palo Alto PAN-OS User-ID Authentication Portal

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Palo Alto Networks, Inc.

Description
A buffer overflow vulnerability in the User-IDβ„’ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-IDβ„’ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-0300
EUVD
EUVD-2026-27879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
palo_alto_networks pan-os *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a buffer overflow in the User-IDβ„’ Authentication Portal (also known as Captive Portal) service of Palo Alto Networks PAN-OS software. It allows an unauthenticated attacker to send specially crafted packets to the affected firewalls, which can lead to the execution of arbitrary code with root privileges.

The affected devices are PA-Series and VM-Series firewalls. The vulnerability does not impact Prisma Access, Cloud NGFW, or Panorama appliances.

The risk can be greatly reduced by securing access to the User-IDβ„’ Authentication Portal according to best practice guidelines, such as restricting access to trusted internal IP addresses.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can execute arbitrary code with root privileges on the affected firewall devices. This means the attacker could potentially take full control of the firewall, bypass security controls, disrupt network traffic, or use the firewall as a foothold to attack other parts of the network.

Because the attacker does not need to be authenticated, the attack can be launched remotely by sending specially crafted packets.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, it is recommended to secure access to the User-IDβ„’ Authentication Portal by restricting access to only trusted internal IP addresses as per best practice guidelines.

This reduces the risk of exploitation by limiting exposure of the vulnerable service.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart