Skip to main content

PAN-OS CVE-2026-0261

| EUVDEUVD-2026-30107 MEDIUM
OS Command Injection (CWE-78)
2026-05-13 palo_alto GHSA-3jxr-6794-xw26
6.1
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:43 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
6.1 (MEDIUM)
CVE Published
May 13, 2026 - 17:59 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 17:59 nvd
MEDIUM 6.1

DescriptionCVE.org

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI.

The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).

Cloud NGFW and Prisma Access® are not impacted by these vulnerabilities.

AnalysisAI

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape system restrictions and execute arbitrary commands with root-level privileges on affected firewalls and Panorama management platforms. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series appliances) across PAN-OS versions 10.2, 11.1, 11.2, and 12.1. An attacker who already holds administrative credentials and can reach the CLI or Web UI can leverage these flaws to fully compromise the underlying OS. No public exploit code exists and no KEV listing is present at time of analysis, consistent with the very low EPSS score of 0.08% (24th percentile).

Technical ContextAI

CWE-78 (Improper Neutralization of Special Elements used in an OS Command, aka OS Command Injection) describes the root cause: user-controlled input is passed to a system shell without sufficient sanitization, allowing shell metacharacters to inject additional commands. The vulnerability exists in multiple locations within the PAN-OS codebase, accessible through both the PAN-OS command-line interface and the Web UI administrative interface. Affected CPE is cpe:2.3:a:palo_alto_networks:pan-os on PA-Series hardware firewalls, VM-Series virtual firewalls, and Panorama management appliances (virtual and M-Series). Although the NVD CPE data lists cpe:2.3:a:palo_alto_networks:cloud_ngfw and cpe:2.3:a:palo_alto_networks:prisma_access, the vendor advisory explicitly states Cloud NGFW and Prisma Access are NOT impacted - this CPE inclusion appears to be a data artifact and should be disregarded. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) confirms the attack is delivered over the network with no additional attack complexity, but only reachable by an already-authenticated high-privilege (administrator) account.

RemediationAI

The primary remediation is to upgrade PAN-OS to one of the vendor-released fixed versions: 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, or 10.2.7-h34 for the 10.2 train; 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, or 11.1.4-h33 for the 11.1 train; 11.2.12, 11.2.10-h6, 11.2.7-h13, or 11.2.4-h17 for the 11.2 train; and 12.1.7 or 12.1.4-h5 for the 12.1 train. See the official advisory at https://security.paloaltonetworks.com/CVE-2026-0261 for the full matrix. Where immediate patching is not possible, apply the vendor's recommended best-practice management access hardening: restrict CLI access to the smallest possible set of named administrators (reducing the number of accounts that could exploit the flaw), and restrict access to the Web UI management interface to trusted internal IP addresses only using management access control lists. Note that these compensating controls reduce but do not eliminate risk - a compromised or malicious administrator account within the allowed IP range retains the ability to exploit this issue until patching is applied. Reducing administrative account sprawl (disabling shared or unused admin accounts) further limits exposure.

CVE-2026-0265 HIGH
7.2 May 13

Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication

CVE-2026-0264 HIGH
7.2 May 13

Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated

CVE-2026-0263 HIGH
7.2 May 13

Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IK

CVE-2026-0287 MEDIUM
6.6 Jul 09

Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall data

CVE-2026-0262 MEDIUM
6.6 May 13

Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or de

CVE-2026-0273 MEDIUM
6.1 Jun 10

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict

CVE-2026-0272 MEDIUM
6.0 Jun 10

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an

CVE-2026-0258 MEDIUM
4.8 May 13

Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attac

CVE-2026-0269 MEDIUM
4.6 Jun 10

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi

CVE-2026-0256 MEDIUM
4.4 May 13

Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator t

CVE-2026-0266 LOW
1.1 Jun 10

Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a Jav

Share

CVE-2026-0261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy