CVE-2026-0265

EPSS 0.08%
Veröffentlicht 13.05.2026 17:38:33
Zuletzt bearbeitet 13.05.2026 18:17:47
Quelle psirt@paloaltonetworks.com
CVE-Watchlists
Login
Unerledigt
Login

PAN-OS: Authentication Bypass with Cloud Authentication Service (CAS) enabled

An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service (CAS) is enabled.



The risk is higher if CAS is enabled on the management interface and lower when any other login interfaces are used.

The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended  best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).

Cloud NGFW and Prisma Access® are not impacted by this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 3 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerPalo Alto Networks

≫

Produkt Cloud NGFW

Default Statusunaffected

Version All

Status unaffected

HerstellerPalo Alto Networks

≫

Produkt PAN-OS

Default Statusunaffected

Version 12.1.0

Version < 12.1.7, 12.1.4-h5

Status affected

Version 11.2.0

Version < 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17

Status affected

Version 11.1.0

Version < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33

Status affected

Version 10.2.0

Version < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34

Status affected

HerstellerPalo Alto Networks

≫

Produkt Prisma Access

Default Statusunaffected

Version All

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.226

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@paloaltonetworks.com	7.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://security.paloaltonetworks.com/CVE-2026-0265

https://nvd.nist.gov/vuln/detail/CVE-2026-0265

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0265

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0265

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-0265