Critical9.3Palo Alto Networks Exploited CISA KEV Updated
CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
CVE-2026-0300 Published May 28, 2026
CVE-2026-0300
Affected products & platforms
Palo Alto NetworksPAN-OSFirewall
Summary
CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
CISA Known Exploited Vulnerability
- Listed:
- May 6, 2026 · federal remediation due May 9, 2026
- Required action:
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.
- Ransomware use:
- Unknown
KEV is a prioritization signal from CISA — remediation detail still comes from the vendor advisory.
Affected versions
- PAN-OS < 12.1.7
- PAN-OS < 11.2.12
- PAN-OS < 11.1.15
- PAN-OS < 10.2.18-h6
Official advisory · high-confidence parse· fetched 2 days ago·verify at source
Fixed versions
- PAN-OS >= 12.1.7
- PAN-OS >= 12.1.4-h5
- PAN-OS >= 11.2.12
- PAN-OS >= 11.2.10-h6
- PAN-OS >= 11.2.7-h13
- PAN-OS >= 11.2.4-h17
- PAN-OS >= 11.1.15
- PAN-OS >= 11.1.13-h5
- PAN-OS >= 11.1.10-h25
- PAN-OS >= 11.1.7-h6
- PAN-OS >= 11.1.6-h32
- PAN-OS >= 11.1.4-h33
- PAN-OS >= 10.2.18-h6
- PAN-OS >= 10.2.16-h7
- PAN-OS >= 10.2.13-h21
- PAN-OS >= 10.2.10-h36
- PAN-OS >= 10.2.7-h34
Official advisory · high-confidence parse· fetched 2 days ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- Upgrade to a fixed release: PAN-OS >= 12.1.7; PAN-OS >= 12.1.4-h5; PAN-OS >= 11.2.12; PAN-OS >= 11.2.10-h6; ….
Temporary workarounds
- Customers can mitigate the risk of this issue by taking either of the following actions:
- Restrict User-ID™ Authentication Portal access to only trusted zones and in addition, disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress.
- Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users' browsers ingress.
- Refer to Step 6 of the following Live Community article and Knowledgebase article for steps to restrict access.Disable User-ID™ Authentication Portal if not required.
Official advisory · high-confidence parse· fetched 2 days ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.