On May 6, 2026, Palo Alto Networks disclosed a critical buffer overflow vulnerability (CVE-2026-0300) in the User-ID™ Authentication Portal (Captive Portal) component of PAN-OS. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets. No user interaction or credentials are required.
Active, limited exploitation has been confirmed against firewalls where the User-ID Authentication Portal is accessible from untrusted networks or the internet. CISA has added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) catalog, with U.S. federal agencies mandated to remediate by May 9, 2026.
Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Vulnerability Details
This vulnerability was first publicly disclosed on 5/6/2026 by PAN. Limited exploitation observed at the time of writing.
| CVE | CVSS | Vulnerability Type | Vector | Affected Products |
| CVE-2026-0300 | CRITICAL-CVSS 4.0 | Buffer Overflow (CWE-787: Out-of-bounds Write) | Unauthenticated, Remote Code Execution (RCE) | PA-Series and VM-Series firewalls with User-ID Authentication Portal enabled. |
Recommendations for CVE-2026-0300
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version when available, and apply vendor recommended workaround to secure access to your User-ID™ Authentication Portal following the instructions in the workarounds section below.
| Product | Affected Version | Fixed Version |
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h5 < 12.1.7 |
>= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28) |
| PAN-OS 11.2 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 |
>= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28) |
| PAN-OS 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 |
>= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28) |
| PAN-OS 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 |
>= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13) |
| Prisma Access | None | All |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround(s)
Per Palo Alto guidance, customers can mitigate the risk of this issue by taking either of the following actions:
- Restrict User-ID™ Authentication Portal access to only trusted zones.
- Disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress.
- Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users’ browsers ingress.
- Refer to Step 6 of the following Live Community article and Knowledgebase article for steps to restrict access.
- Disable User-ID™ Authentication Portal if not required.
References
- Palo Alto Networks Security Advisory — CVE-2026-0300
- CISA — Known Exploited Vulnerability Alert
- NHS Digital Cyber Alert CC-4777
- Canadian Centre for Cyber Security Advisory AV26-425
- CERT-EU Security Advisory 2026-006
- Wiz — CVE-2026-0300 Exploited in the Wild
- Help Net Security — Palo Alto Firewalls Vulnerability Exploited
- Feedly CVE Tracker — CVE-2026-0300
