Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Administrator credentials required for management interface access (PR:H, AV:N); SSRF enables internal service probing (C:L) and unauthorized state modification (I:H); no scope change or availability impact.
Primary rating from Vendor (paloaltonetworks).
CVSS VectorVendor: paloaltonetworks
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized requests from the firewall to internal services.
The security risk posed by this issue is minimized when the management interface is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.
AnalysisAI
Server-side request forgery in Palo Alto Networks PAN-OS allows an authenticated administrator with access to the management web interface to weaponize the firewall as an unauthorized network relay, making requests to internal services on behalf of the attacker. Exploitation is constrained by the requirement for high-privilege administrator credentials (PR:H) and network reachability to the management interface, substantially limiting the realistic attacker population. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid PAN-OS administrator account with access to the management web interface - high-privilege credentials (PR:H per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 4.7 (Medium) accurately reflects a meaningful but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained PAN-OS administrator credentials through credential theft, phishing, or compromise of an admin workstation authenticates to the management web interface and crafts SSRF payloads targeting internal hosts reachable from the firewall - such as internal APIs, cloud metadata endpoints, or management plane services - that are otherwise network-isolated from the attacker's location. The firewall relays these requests on the attacker's behalf, enabling internal service enumeration, data exfiltration (VC:L), or unauthorized state modification of internal systems (VI:H). … |
| Remediation | Apply the vendor-issued patch for PAN-OS when available; the exact fixed version is not confirmed from the available data - consult the Palo Alto PSIRT advisory at https://security.paloaltonetworks.com/CVE-2026-0285 for specific patched release details as they are published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F
Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x b
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Palo Alto Networks PAN-OS management interface contains an authenticated file read vulnerability allowing reading of fil
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access t
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to exe
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. Rated high severity
The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with Glob
The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 a
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42676
GHSA-3vmp-6pgh-4q54