Skip to main content

PAN-OS EUVDEUVD-2026-30066

| CVE-2026-0265 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-05-13 palo_alto GHSA-qcp7-r34x-6gv6
7.2
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 08:47 vuln.today
Patch available
May 13, 2026 - 19:17 EUVD
CVSS changed
May 13, 2026 - 18:22 NVD
7.2 (HIGH)
CVE Published
May 13, 2026 - 17:38 nvd
HIGH 7.2

DescriptionCVE.org

An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service (CAS) is enabled.

The risk is higher if CAS is enabled on the management interface and lower when any other login interfaces are used.

The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).

Cloud NGFW and Prisma Access® are not impacted by this vulnerability.

AnalysisAI

Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication controls when the Cloud Authentication Service (CAS) feature is enabled, with the highest risk when CAS is bound to the management interface. The flaw affects PA-Series and VM-Series firewalls as well as Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are not impacted. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability low at 0.08%, but the high-value target profile and CWE-347 (Improper Verification of Cryptographic Signature) class - combined with the 'Jwt Attack' tag - warrant prompt patching.

Technical ContextAI

PAN-OS is the operating system that powers Palo Alto Networks' next-generation firewall appliances (PA-Series), virtualized firewalls (VM-Series), and the Panorama centralized management platform. The Cloud Authentication Service (CAS) is the optional component that federates administrator and user authentication with cloud-hosted identity providers, typically by validating signed tokens (JWTs) issued upstream. The root cause maps to CWE-347 (Improper Verification of Cryptographic Signature), and the 'Jwt Attack' tag in the intelligence feed strongly suggests the bypass involves accepting tokens whose signature is missing, malformed, or trust-anchored incorrectly, allowing an attacker to forge or replay an identity claim that the CAS handler honors without proper cryptographic validation.

RemediationAI

Vendor-released patches are available: upgrade PAN-OS to 10.2.18-h6 / 10.2.16-h7 / 10.2.13-h21 / 10.2.10-h36 / 10.2.7-h34, or 11.1.15 / 11.1.13-h5 / 11.1.10-h25 / 11.1.7-h6 / 11.1.6-h32 / 11.1.4-h33, or 11.2.12 / 11.2.10-h6 / 11.2.7-h13 / 11.2.4-h17, or 12.1.7 / 12.1.4-h5 as appropriate to your release train, per https://security.paloaltonetworks.com/CVE-2026-0265. Where immediate patching is not possible, disable Cloud Authentication Service if it is not actively required (trade-off: cloud-federated admin/user logins will stop working until a local or alternate IdP is configured), and restrict access to the management web interface to a small set of trusted internal IP addresses or a dedicated management VLAN per Palo Alto's hardening guide at https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 - this dramatically reduces blast radius at the cost of breaking any remote-admin workflows that do not traverse the allowlist. Avoid exposing the management interface to the internet under any circumstances.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

EUVD-2026-30066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy