Back to threat alerts

CVE-2026-0300: Unauthenticated Remote Code Execution in the PAN-OS User-ID Authentication Portal

CVE-2026-0300 is a critical zero-day vulnerability affecting Palo Alto Networks PAN-OS firewalls. The flaw exists within the User-ID™ Authentication Portal and allows an unauthenticated, remote attacker to execute arbitrary code with root privileges via specially crafted network packets.

Threat alert
May 6, 2026

The User-ID™ Authentication Portal, also known as the Captive Portal, is triggered when the firewall encounters traffic from an unknown user that requires authentication to satisfy a security policy rule. The firewall intercepts the session and redirects the user to the Authentication Portal to provide credentials via a web form.

The service is inherently exposed to unauthenticated users, as its primary purpose is to identify and authenticate those who are not yet known to the system. Vulnerability resides in the packet-parsing logic of the service, which is responsible for handling the initial handshake and protocol exchange before any authentication has occurred.

The technical root cause of CVE-2026-0300 is an out-of-bounds write, specifically a buffer overflow, which occurs during the processing of incoming network packets. This type of memory corruption vulnerability arises when a program writes more data to a buffer than it is designed to hold, leading to the overwriting of adjacent memory locations. In the context of the User-ID™ Authentication Portal, the flaw is triggered by "specially crafted packets" sent by an unauthenticated attacker.

By meticulously crafting the length and content of these packets, an attacker can manipulate the instruction pointer or return addresses on the stack. The successful exploitation of this flaw leads to remote code execution (RCE) with root privileges. Root-level access on a firewall is catastrophic because it grants the attacker total control over the appliance's operating system. This allows for the modification of security rules, the disabling of logging mechanisms, the exfiltration of sensitive configuration files, and the deployment of persistent backdoors within the firewall's underlying Linux environment.

Affected Versions

Palo Alto Networks has identified that the vulnerability affects all current major release branches of PAN-OS, specifically versions 10.2, 11.1, 11.2, and 12.1. The following PA-Series and VM-Series firewalls are susceptible to exploitation if they have the User-ID™ Authentication Portal enabled.

Importantly, managed cloud services like Prisma Access and Cloud NGFW, as well as Panorama appliances, remain unaffected.


PAN-OS Branch
Affected Version Range
Round 1 Patch (ETA: 05/13/2026)
Round 2 Patch (ETA: 05/28/2026)

PAN-OS 12.1
< 12.1.4-h5, < 12.1.7
>= 12.1.4-h5
>= 12.1.7

PAN-OS 11.2
< 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12
>= 11.2.7-h13, >= 11.2.10-h6
>= 11.2.4-h17, >= 11.2.12

PAN-OS 11.1
< 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
>= 11.1.4-h33, >= 11.1.6-h32, >= 11.1.10-h25, >= 11.1.13-h5
>= 11.1.7-h6, >= 11.1.15

PAN-OS 10.2
< 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
>= 10.2.10-h36, >= 10.2.18-h6
>= 10.2.7-h34, >= 10.2.13-h21, >= 10.2.16-h7

The presence of "h" (hotfix) versions indicates that Palo Alto Networks is releasing out-of-band updates specifically to address this critical flaw without requiring a move to a completely new minor release, which might introduce other architectural changes. This strategy is designed to minimise the operational downtime and testing requirements for administrators who must act quickly to mitigate the zero-day risk.

Remediation and Mitigation

Until hotfixes can be applied, organisations should execute the following immediate action plan to secure their environments:

  • Exposure Assessment & Service Disablement: If the User-ID™ Authentication Portal is not a critical component of daily operations, the most robust mitigation is to disable it entirely. Navigate to the Authentication Portal Settings page (Device > User Identification > Authentication Portal Settings) and ensure "Enable Authentication Portal" is unchecked.
    • Note on GlobalProtect: Some administrators have expressed concern regarding the impact of disabling this service on GlobalProtect VPN portals. Current technical analysis indicates they are distinct services, though certain inbound authentication prompts (specifically on UDP port 4501 in PAN-OS 11.x) may be affected. Organisations should test the impact in a staging environment before disabling the feature in production deployments.
  • Access Isolation: If the portal cannot be disabled, immediately restrict its access to trusted internal network zones only. Verify your Interface Management Profiles; if a profile has "Response Pages" enabled and is attached to an external or untrusted interface, it creates a direct vector for exploitation. Detach these profiles from internet-facing interfaces immediately.
  • Threat Prevention Deployment: Ensure that all firewalls are running the latest content updates and that the specific signature for CVE-2026-0300 is active and set to "block" (rather than alert) to intercept exploitation attempts.
  • Proactive Hunting: Review firewall and network logs for known indicators of compromise. Look specifically for anomalous HTTP POST activity directed to the portal URL or unexplained outbound network connections originating from the firewall's management plane.
  • Staged Patching: Prepare for the May 13 and May 28 patch release cycles. Prioritise the most exposed and critical firewalls for the initial phase of updates according to the hotfix table provided above.