Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)

[Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Por]

May 6, 2026|Last updated on May 13, 2026|4 min read

On May 6, 2026, Palo Alto Networks published a security advisory for CVE-2026-0300, a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The vulnerability carries a CVSSv4 score of 9.3 and has been confirmed as exploited in the wild by the vendor.

CVE-2026-0300 is a buffer overflow (CWE-787) in the User-ID™ Authentication Portal (also known as Captive Portal), a non-default PAN-OS feature used to map IP addresses to usernames. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected firewall. No authentication or user interaction is required.

Palo Alto Networks has confirmed limited exploitation in the wild targeting Authentication Portals exposed to either untrusted IP addresses or the public internet. No patches are currently available; fixed versions are expected to begin rolling out on May 13, 2026, with additional releases through May 28, 2026.

PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. Shodan identifies approximately 225,000 internet-facing PAN-OS instances, representing a significant attack surface. Rapid7 strongly urges all organizations running affected PAN-OS versions with the User-ID Authentication Portal enabled to **apply the available workarounds immediately** and prioritize patching as soon as fixed versions become available.

_Update #1:_ On May 6, 2026, CVE-2026-0300 was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation. Palo Alto Networks Unit 42 also published a threat brief attributing observed exploitation to CL-STA-1132, a likely state-sponsored threat cluster that deployed open-source tunneling tools and conducted Active Directory enumeration following initial compromise.

Organizations running PA-Series and VM-Series firewalls with the User-ID™ Authentication Portal enabled should apply the available workarounds immediately and prioritize patching as soon as fixed versions are released. Check the official documentation to establish whether the affected User-ID™ Authentication Portal is currently enabled.

According to the Palo Alto Networks advisory, the following versions are affected by CVE-2026-0300:

| **Product** | **Affected** | **Unaffected** | **Fix ETA** | | --- | --- | --- | --- | | PAN-OS 12.1 | <12.1.4-h5 <12.1.7 | >= 12.1.4-h5 >= 12.1.7 | 05/13 05/28 | | PAN-OS 11.2 | <11.2.4-h17 <11.2.7-h13 <11.2.10-h6 <11.2.12 | >= 11.2.4-h17 >= 11.2.7-h13 >= 11.2.10-h6 >= 11.2.12 | 05/28 05/13 05/13 05/28 | | PAN-OS 11.1 | <11.1.4-h33 <11.1.6-h32 <11.1.7-h6 <11.1.10-h25 <11.1.13-h5 <11.1.15 | >= 11.1.4-h33 >= 11.1.6-h32 >= 11.1.7-h6 >= 11.1.10-h25 >= 11.1.13-h5 >= 11.1.15 | 05/13 05/13 05/28 05/13 05/13 05/28 | | PAN-OS 10.2 | <10.2.7-h34 <10.2.10-h36 <10.2.13-h21 <10.2.16-h7 <10.2.18-h6 | >= 10.2.7-h34 >= 10.2.10-h36 >= 10.2.13-h21 >= 10.2.16-h7 >= 10.2.18-h6 | 05/28 05/13 05/28 05/28 05/13 |

As of May 13, 2026, the first round of patches has been published. Until the remaining awaited patches are available, Palo Alto Networks recommends one of the following workarounds:

Please refer to the vendor advisory for the latest guidance.

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-0300 with authenticated vulnerability checks available in the May 6th, 2026 content release.

• **May 6, 2026**: Initial publication.

• **May 7, 2026**: Updated overview to note the addition to CISA KEV and the Unit 42 threat brief attributing exploitation to CL-STA-1132.
• **May 13, 2026**: Updated Mitigation guidance section to state that patches expected on May 13 have been published.

))%20https%3A%2F%2Fwww.rapid7.com%2Fblog%2Fpost%2Fetr-critical-buffer-overflow-in-palo-alto-networks-pan-os-user-id-authentication-portal-cve-2026-0300)

• [+1-866-390-8113](tel:+1-866-390-8113)

&kw=cybersecurity%20company,managed%20detection%20and%20response,exposure%20management,managed%20security%20solutions,vulnerability%20management,exposure%20assessment%20platform&p=https%3A%2F%2Fwww.rapid7.com%2Fblog%2Fpost%2Fetr-critical-buffer-overflow-in-palo-alto-networks-pan-os-user-id-authentication-portal-cve-2026-0300%2F&r=<=620&evt=pageLoad&sv=2&asc=D&cdb=AQET&rn=566538)

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, or your device, and is mostly used to make the site work as you expect. The information does not usually identify you directly, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to learn more and change our default settings. Blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Reject All Confirm My Choices