PAN-OS User-ID Captive Portal Buffer Overflow Vulnerability (CVE-2026-0300) Analysis

CVE-2026-0300 PAN-OS User Authentication Portal Buffer Overflow Vulnerability Summary Vulnerability Overview Vulnerability Name: PAN-OS: Unauthenticated User-Initiated User-ID™ Authentication Portal Buffer Overflow Vulnerability CVE ID: CVE-2026-0300 Severity: CRITICAL CVSS Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Vulnerability Type: Buffer Overflow Exploitation Method: An attacker can exploit this vulnerability by sending crafted packets to the User-ID™ authentication portal (Captive Portal) service of Palo Alto Networks PAN-OS software as an unauthenticated user, thereby executing arbitrary code. Impact: Attackers can achieve code execution with root privileges. Affected Scope Affected Products: PA-Series and VM-Series firewalls configured with the User-ID™ authentication portal. Unaffected Products: Prisma Access, Cloud NGFW, Panorama. Affected Version Details: PAN-OS 12.1: and PAN-OS 12.2: , , , PAN-OS 11.1: , , , , , PAN-OS 10.2: , , , , Exposure Conditions: 1. The User-ID™ authentication portal is configured and enabled (applicable to both transparent and redirect modes). 2. The interface management profile has "Response Pages" enabled and is associated with an interface accessible from external networks/the public internet. 3. The authentication portal is exposed to untrusted IP addresses or the public internet. Remediation Official Patches: This vulnerability will be fixed in subsequent PAN-OS versions corresponding to the affected versions listed above (ETA: 05/13 or 05/28, depending on the version). Workarounds: 1. Restrict Access: Restrict access to the User-ID™ authentication portal to trusted subnets only. 2. Disable Response Pages: In the interface management profile, disable "Response Pages" for all Layer 3 interfaces that allow untrusted/internet traffic to enter. Note: Do not disable this if legitimate user browser redirection is required in these areas. 3. Complete Disable: If the User-ID™ authentication portal is not in use, disable it entirely. Threat Prevention: Customers with a Threat Prevention subscription can block attacks against this vulnerability by enabling Threat ID 510019 (from Applications and Threats content version 9097-10022). This feature requires PAN-OS 11.1 or later. Additional Information Release Date: 2026-05-06 Update Date: 2026-05-07 (Updated Threat Prevention ID and clarified required configuration sections) Exploitation Status: Exploitation has been observed in the wild. CPE Application Identifiers: is vulnerable within the following version ranges: to to to to to to to to to to to to to to to to to (Note: Specific POC or exploit code is not provided on the page.)

Goal Reached Thanks to every supporter — we hit 100%!

PAN-OS User-ID Captive Portal Buffer Overflow Vulnerability (CVE-2026-0300) Analysis