High8.5Vendor: MediumPalo Alto Networks
CVE-2026-0286 PAN-OS: Authenticated Command Injection in CLI
CVE-2026-0286 Published Jul 8, 2026
CVE-2026-0286
Affected products & platforms
Palo Alto NetworksPAN-OSFirewall
Summary
CVE-2026-0286 PAN-OS: Authenticated Command Injection in CLI
Affected versions
- PAN-OS < 12.1.8
- PAN-OS < 11.2.13
- PAN-OS < 11.1.16
- PAN-OS < 10.2.18-h8
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Fixed versions
- PAN-OS >= 12.1.8
- PAN-OS >= 12.1.7-h2
- PAN-OS >= 12.1.4-h8
- PAN-OS >= 11.2.13
- PAN-OS >= 11.2.10-h11
- PAN-OS >= 11.2.7-h18
- PAN-OS >= 11.2.4-h20
- PAN-OS >= 11.1.16
- PAN-OS >= 11.1.13-h9
- PAN-OS >= 11.1.10-h30
- PAN-OS >= 11.1.7-h8
- PAN-OS >= 11.1.6-h35
- PAN-OS >= 11.1.4-h35
- PAN-OS >= 10.2.18-h8
- PAN-OS >= 10.2.16-h9
- PAN-OS >= 10.2.13-h23
- PAN-OS >= 10.2.10-h39
- PAN-OS >= 10.2.7-h36
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- VersionMinor VersionSuggested SolutionCloud NGFW AllNo action needed.
- PAN-OS 12.1 12.1.5 through 12.1.7-h* Upgrade to 12.1.7-h2 or 12.1.8 or later. 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h8 or 12.1.8 or later.
Temporary workarounds
- Customers with a Threat Prevention subscription are provided with limited coverage against this vulnerability by enabling Threat ID 510036 (from Applications and Threats content version 9122-10145 and later).
- For these Threat IDs to protect against attacks for this vulnerability:
- Route incoming traffic for the MGT port through a DP port, e.g., enabling management profile on a DP interface for management access.Replace the Certificate for Inbound Traffic Management.
- Decrypt inbound traffic to the management interface so the firewall can inspect it.Enable threat prevention on the inbound traffic to management services.
- Please note that this Threat ID requires SSL Decryption.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.