Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red
Lifecycle Timeline
4DescriptionCVE.org
An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service (CAS) is enabled.
The risk is higher if CAS is enabled on the management interface and lower when any other login interfaces are used.
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma Access® are not impacted by this vulnerability.
AnalysisAI
Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication controls when the Cloud Authentication Service (CAS) feature is enabled, with the highest risk when CAS is bound to the management interface. The flaw affects PA-Series and VM-Series firewalls as well as Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are not impacted. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability low at 0.08%, but the high-value target profile and CWE-347 (Improper Verification of Cryptographic Signature) class - combined with the 'Jwt Attack' tag - warrant prompt patching.
Technical ContextAI
PAN-OS is the operating system that powers Palo Alto Networks' next-generation firewall appliances (PA-Series), virtualized firewalls (VM-Series), and the Panorama centralized management platform. The Cloud Authentication Service (CAS) is the optional component that federates administrator and user authentication with cloud-hosted identity providers, typically by validating signed tokens (JWTs) issued upstream. The root cause maps to CWE-347 (Improper Verification of Cryptographic Signature), and the 'Jwt Attack' tag in the intelligence feed strongly suggests the bypass involves accepting tokens whose signature is missing, malformed, or trust-anchored incorrectly, allowing an attacker to forge or replay an identity claim that the CAS handler honors without proper cryptographic validation.
RemediationAI
Vendor-released patches are available: upgrade PAN-OS to 10.2.18-h6 / 10.2.16-h7 / 10.2.13-h21 / 10.2.10-h36 / 10.2.7-h34, or 11.1.15 / 11.1.13-h5 / 11.1.10-h25 / 11.1.7-h6 / 11.1.6-h32 / 11.1.4-h33, or 11.2.12 / 11.2.10-h6 / 11.2.7-h13 / 11.2.4-h17, or 12.1.7 / 12.1.4-h5 as appropriate to your release train, per https://security.paloaltonetworks.com/CVE-2026-0265. Where immediate patching is not possible, disable Cloud Authentication Service if it is not actively required (trade-off: cloud-federated admin/user logins will stop working until a local or alternate IdP is configured), and restrict access to the management web interface to a small set of trusted internal IP addresses or a dedicated management VLAN per Palo Alto's hardening guide at https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 - this dramatically reduces blast radius at the cost of breaking any remote-admin workflows that do not traverse the allowlist. Avoid exposing the management interface to the internet under any circumstances.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30066
GHSA-qcp7-r34x-6gv6