On May 6, 2026, Palo Alto Networks disclosed a critical buffer overflow vulnerability (CVE-2026-0300) in the User-ID? Authentication Portal (Captive Portal) component of PAN-OS. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets. No user interaction or credentials are required.
Active, limited exploitation has been confirmed against firewalls where the User-ID Authentication Portal is accessible from untrusted networks or the internet. CISA has added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) catalog, with U.S. federal agencies mandated to remediate by May 9, 2026.
Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Vulnerability Details
This vulnerability was first publicly disclosed on 5/6/2026 by PAN. Limited exploitation observed at the time of writing.
| CVE | CVSS | Vulnerability Type | Vector | Affected Products |
| CVE-2026-0300 | CRITICAL-CVSS 4.0 | Buffer Overflow (CWE-787: Out-of-bounds Write) | Unauthenticated, Remote Code Execution (RCE) | PA-Series and VM-Series firewalls with User-ID Authentication Portal enabled. |
Recommendations for CVE-2026-0300
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version when available, and apply vendor recommended workaround to secure access to your User-ID? Authentication Portal following the instructions in the workarounds section below.
| Product | Affected Version | Fixed Version |
| None | All | |
| < 12.1.4-h5 < 12.1.7 |
>= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28) |
|
| < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 |
>= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28) |
|
| < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 |
>= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28) |
|
| < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 |
>= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13) |
|
| None | All |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround(s)
Per , customers can mitigate the risk of this issue by taking either of the following actions:
- Restrict User-ID? Authentication Portal access to only trusted zones.
- Disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress.
- Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users’ browsers ingress.
- Refer to Step 6 of the following and for steps to restrict access.
- Disable User-ID? Authentication Portal if not required.
