CVE-2026-0300

Name: CVE-2026-0300
Creator: NVD / NIST
Published: 2026-05-06T19:16:35.73+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.3/10Actively ExploitedEPSS 36.16%

Last modified Jun 17, 2026

CVE-2026-0300 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.. CISA has confirmed active exploitation in the wild. EPSS estimates a 36.16% chance of exploitation in the next 30 days.

Description

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0

9.3/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red

EPSS Probability

36.16%

98.3th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by May 9, 2026.

Weakness Enumeration

CWE-787

Affected Software

Vendor	Product	Versions
Paloaltonetworks	Pan-Os	10.2.0
Paloaltonetworks	Pan-Os	10.2.1
Paloaltonetworks	Pan-Os	10.2.2
Paloaltonetworks	Pan-Os	10.2.3
Paloaltonetworks	Pan-Os	10.2.4
Paloaltonetworks	Pan-Os	10.2.5
Paloaltonetworks	Pan-Os	10.2.6
Paloaltonetworks	Pan-Os	10.2.7
Paloaltonetworks	Pan-Os	10.2.8
Paloaltonetworks	Pan-Os	10.2.9
Paloaltonetworks	Pan-Os	10.2.10
Paloaltonetworks	Pan-Os	10.2.11
Paloaltonetworks	Pan-Os	10.2.12
Paloaltonetworks	Pan-Os	10.2.13
Paloaltonetworks	Pan-Os	10.2.14
Paloaltonetworks	Pan-Os	10.2.15
Paloaltonetworks	Pan-Os	10.2.16
Paloaltonetworks	Pan-Os	10.2.17
Paloaltonetworks	Pan-Os	10.2.18
Paloaltonetworks	Pan-Os	11.1.0
Paloaltonetworks	Pan-Os	11.1.1
Paloaltonetworks	Pan-Os	11.1.2
Paloaltonetworks	Pan-Os	11.1.3
Paloaltonetworks	Pan-Os	11.1.4
Paloaltonetworks	Pan-Os	11.1.5
Paloaltonetworks	Pan-Os	11.1.6
Paloaltonetworks	Pan-Os	11.1.7
Paloaltonetworks	Pan-Os	11.1.8
Paloaltonetworks	Pan-Os	11.1.9
Paloaltonetworks	Pan-Os	11.1.10
Paloaltonetworks	Pan-Os	11.1.11
Paloaltonetworks	Pan-Os	11.1.12
Paloaltonetworks	Pan-Os	11.1.13
Paloaltonetworks	Pan-Os	11.1.14
Paloaltonetworks	Pan-Os	11.2.0
Paloaltonetworks	Pan-Os	11.2.1
Paloaltonetworks	Pan-Os	11.2.2
Paloaltonetworks	Pan-Os	11.2.3
Paloaltonetworks	Pan-Os	11.2.4
Paloaltonetworks	Pan-Os	11.2.5
Paloaltonetworks	Pan-Os	11.2.6
Paloaltonetworks	Pan-Os	11.2.7
Paloaltonetworks	Pan-Os	11.2.8
Paloaltonetworks	Pan-Os	11.2.9
Paloaltonetworks	Pan-Os	11.2.10
Paloaltonetworks	Pan-Os	11.2.11
Paloaltonetworks	Pan-Os	12.1.2
Paloaltonetworks	Pan-Os	12.1.3
Paloaltonetworks	Pan-Os	12.1.4
Paloaltonetworks	Pan-Os	12.1.5

Showing 50 of 52 affected configurations. See NVD for the full list.

References

https://security.paloaltonetworks.com/CVE-2026-0300Mitigation, Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-967325.htmlThird Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300US Government Resource

Timeline

Published: May 6, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-0300?

How severe is CVE-2026-0300?

CVE-2026-0300 has a CVSS score of 9.3/10 (CRITICAL severity). The EPSS model estimates a 36.16% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2026-0300?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-0300?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST