Buffer Overflow Vulnerability in Palo Alto Networks User-ID™ Authentication Portal
CVE-2026-0300

8.7HIGH

Key Information:

Vendor: Palo Alto Networks
Status: Cloud Ngfw; Pan-os; Prisma Access
Vendor: CVE Published:; 6 May 2026

🔔 Create Palo Alto Networks Vulnerability Alert

Badges

🥇 Trended No. 1📈 Trended📈 Score: 16,600👾 Exploit Exists🟡 Public PoC🟣 EPSS 14%🦅 CISA Reported📰 News Worthy

What is CVE-2026-0300?

CVE-2026-0300 is a critical buffer overflow vulnerability affecting the User-ID™ Authentication Portal, also known as the Captive Portal, within Palo Alto Networks' PAN-OS software. This portal provides authentication services that allow users to gain access to network resources. The vulnerability allows unauthenticated attackers to send specially crafted packets to the service, resulting in the execution of arbitrary code with root privileges on PA-Series and VM-Series firewalls. If exploited, this could lead to complete control over affected firewall devices, directly compromising the security management of an organization's network infrastructure. Organizations relying on these firewalls for secure operations face heightened risks if the vulnerability is not adequately mitigated.

Potential Impact of CVE-2026-0300

Unauthorized Access and Control: Attackers could gain root-level access to firewall devices, allowing them to manipulate firewall rules, access sensitive data, and potentially pivot to other parts of the organization’s network.
Increased Risk of Data Breach: With the capacity for executing arbitrary code, there is a significant risk that attackers could exploit the vulnerability to extract sensitive information, leading to potential data breaches that could impact compliance with regulations and damage organizational reputation.
Network Disruption and Service Outages: The exploitation of this vulnerability could lead to disruptions in network services provided by the firewalls. This could result in downtime and affect the availability of critical applications and services, leading to operational and financial losses for the organization.

CISA has reported CVE-2026-0300

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-0300 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch

Affected Version(s)

PAN-OS 12.1.0 < 12.1.7

PAN-OS 11.2.0 < 11.2.12

PAN-OS 11.1.0 < 11.1.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-0300
Created by shizuku198411

News Articles

The Hacker News

CVE-2026-0300

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

CVE-2026-0300 exploited after April 9 attempts enables PAN-OS RCE, leading to stealth espionage and lateral movement by April 29.

1 week ago

It Security News

CVE-2026-0300

Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April - IT Security News

A critical zero-day vulnerability in Palo Alto Networks PAN-OS software has been actively exploited by a likely state-sponsored threat actor since at least April 2026, the company revealed in a security advisory published on May 6, 2026. Tracked as CVE-2026-0300,…Read more →

1 week ago

Help Net Security

CVE-2026-0300

State-sponsored hackers likely behind zero-day attacks on Palo Alto firewalls - Help Net Security

Palo Alto Networks says attacks leveraging zero-day vulnerability (CVE-2026-0300) in its firewalls are likely state sponsored.

1 week ago

References

https://security.paloaltonetworks.com/CVE-2026-0300

vendor-advisory

EPSS Score

14% chance of being exploited in the next 30 days.

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🥇
Vulnerability reached the number 1 worldwide trending spot
May 10, 2026
🟡
Public PoC available
May 7, 2026
📈
Vulnerability started trending
May 6, 2026
👾
Exploit known to exist
May 6, 2026
🦅
CISA Reported
May 6, 2026
📰
First article discovered by Cybersecuritynews
May 6, 2026
Vulnerability published
May 6, 2026
Vulnerability Reserved
Nov 3, 2025

CVE-2026-0300 Data

JSON

Palo Alto Networks

Badges

What is CVE-2026-0300?

Potential Impact of CVE-2026-0300

CISA has reported CVE-2026-0300

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

Exploit Proof of Concept (PoC)

News Articles

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April - IT Security News

State-sponsored hackers likely behind zero-day attacks on Palo Alto firewalls - Help Net Security

References

EPSS Score

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.