CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS

[CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS]

May 14, 2026|Last updated on May 14, 2026|3 min read

On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0265, a signature verification vulnerability that facilitates authentication bypass on PAN-OS, the operating system that most Palo Alto Networks firewalls run. This vulnerability allows a remote unauthenticated attacker with network access to bypass authentication when Cloud Authentication Service (CAS) is enabled and attached to a login interface; the vulnerable configuration is non-default but common. CVE-2026-0265 affects PAN-OS on PA-Series and VM-Series firewalls, as well as Panorama (virtual and M-Series) appliances. Cloud NGFW and Prisma Access are not affected.

As of May 14, Palo Alto Networks has not confirmed exploitation in-the-wild of CVE-2026-0265, and there is no public proof-of-concept exploit available. However, given the researcher's statements about the practical exploitability of this vulnerability and the pending disclosure of technical details, this will likely evolve. PAN-OS software has been a frequent target for threat actors; on May 6, 2026, the PAN-OS vulnerability CVE-2026-0300 was added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Patches for many affected version streams were published on May 13, and the remaining patches are expected on May 28, 2026.

Organizations running PA-Series or VM-Series firewalls, or Panorama (virtual and M-Series) appliances, with Cloud Authentication Service (CAS) enabled should upgrade to a fixed version on an emergency basis. Patches are partially available, with many version stream fixes published on May 13 and additional version stream coverage expected on May 28. The following table outlines the affected and fixed versions:

| **PAN-OS version** | **Affected** | **Fixed** | | --- | --- | --- | | 12.1 | < 12.1.4-h5 < 12.1.7 | >= 12.1.4-h5 >= 12.1.7 (ETA: 05/28) | | 11.2 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 | >= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 >= 11.2.10-h6 >= 11.2.12 (ETA: 05/28) | | 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 | >= 11.1.4-h33 >= 11.1.6-h32 >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 >= 11.1.13-h5 >= 11.1.15 (ETA: 05/28) | | 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 | >= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 | | Cloud NGFW | Not affected | N/A | | Prisma Access | Not affected | N/A |

Older unsupported PAN-OS versions should be upgraded to a supported fixed version.

To determine if an environment is vulnerable, the official advisory provides instructions to verify whether an authentication profile using CAS is enabled and attached to a login interface. Due to discrepancies in the information shared by the vendor and reporting researchers, Rapid7 advises patching instead of implementing workarounds, wherever possible.

For the latest official mitigation guidance, please refer to the vendor advisory.

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-0265 with authenticated checks expected to be available in the May 15th content release.

• **May 14, 2026**: Initial publication.

• [+1-866-390-8113](tel:+1-866-390-8113)