cbcvebase.
CVE-2026-0265
published 2026-05-13

CVE-2026-0265: An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication…

PriorityP355high7.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUNRUVDREMURed
EPSS
0.44%
35.2th percentile
An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service (CAS) is enabled. The risk is higher if CAS is enabled on the management interface and lower when any other login interfaces are used. The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma Access® are not impacted by this vulnerability.

Affected

7 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.2.0 < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h3410.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34
palo_alto_networkspan-os>= 11.1.0 < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h3311.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33
palo_alto_networkspan-os>= 11.2.0 < 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h1711.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17
palo_alto_networkspan-os>= 12.1.0 < 12.1.7, 12.1.4-h512.1.7, 12.1.4-h5
paloaltocloud_ngfw
paloaltopan-os
paloaltoprisma_access
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.