Skip to main content

Palo Alto PAN-OS CVE-2026-0258

| EUVDEUVD-2026-30105 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-13 palo_alto GHSA-xpv6-xwmp-4m43
4.8
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:44 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
4.8 (MEDIUM)
CVE Published
May 13, 2026 - 18:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 18:08 nvd
MEDIUM 4.8

DescriptionCVE.org

A server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS® software allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service (DoS) condition.

Panorama, Cloud NGFW and Prisma® Access are not impacted by these vulnerabilities.

AnalysisAI

Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attackers to coerce the firewall into issuing outbound network requests to arbitrary destinations or to trigger a denial-of-service condition. Affected are PAN-OS 10.2, 11.1, 11.2, and 12.1 branch trains; Panorama, Cloud NGFW, and Prisma Access are explicitly confirmed unaffected. No public exploit code has been identified and SSVC assessment confirms no current exploitation, though a vendor-released patch is available across all impacted branches.

Technical ContextAI

IKEv2 (Internet Key Exchange version 2, RFC 7296) is the protocol used to negotiate and establish IPsec VPN security associations, typically operating over UDP ports 500 and 4500. CWE-918 (Server-Side Request Forgery) arises when an application accepts attacker-controlled input and uses it - without adequate validation or allowlisting - to construct and issue outbound network requests from the server itself. In this case, the PAN-OS IKEv2 handler processes attacker-supplied protocol fields in a way that allows the firewall appliance to be directed to initiate connections to unintended hosts. This is particularly impactful on a network security device because the firewall often has privileged access to internal network segments that would otherwise be unreachable from external attackers, making SSRF a vector for internal reconnaissance. Affected CPEs include cpe:2.3:a:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* across the 10.2, 11.1, 11.2, and 12.1 version trees per EUVD-2026-30105.

RemediationAI

The primary remediation is upgrading to a patched PAN-OS release. For PAN-OS 10.2, upgrade to 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, or 10.2.7-h34 depending on the deployed minor version. For PAN-OS 11.1, upgrade to 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, or 11.1.4-h33. For PAN-OS 11.2, upgrade to 11.2.12, 11.2.10-h6, 11.2.7-h13, or 11.2.4-h17. For PAN-OS 12.1, upgrade to 12.1.7 or 12.1.4-h5. Full patch details and upgrade guidance are available from the vendor advisory at https://security.paloaltonetworks.com/CVE-2026-0258. As a compensating control where immediate patching is not possible, restrict inbound IKEv2 traffic (UDP 500 and UDP 4500) using upstream ACLs or zone-based policies to only known, trusted VPN peer IP addresses. This reduces the attacker-accessible attack surface but may impact legitimate VPN onboarding flows with dynamic peer IPs. Egress firewall rules limiting outbound connections from the management and dataplane to expected infrastructure can limit the practical SSRF reach while a patch is applied.

CVE-2026-0265 HIGH
7.2 May 13

Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication

CVE-2026-0264 HIGH
7.2 May 13

Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated

CVE-2026-0263 HIGH
7.2 May 13

Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IK

CVE-2026-0287 MEDIUM
6.6 Jul 09

Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall data

CVE-2026-0262 MEDIUM
6.6 May 13

Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or de

CVE-2026-0273 MEDIUM
6.1 Jun 10

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict

CVE-2026-0261 MEDIUM
6.1 May 13

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape s

CVE-2026-0272 MEDIUM
6.0 Jun 10

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an

CVE-2026-0269 MEDIUM
4.6 Jun 10

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi

CVE-2026-0256 MEDIUM
4.4 May 13

Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator t

CVE-2026-0266 LOW
1.1 Jun 10

Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a Jav

Share

CVE-2026-0258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy