CVE-2026-0265 PAN-OS Authentication Bypass with Cloud Authentication Service (CAS)

An authentication bypass vulnerability exists in Palo Alto Networks PAN-OS software when Cloud Authentication Service (CAS) is enabled. An unauthenticated attacker with network access can bypass authentication controls. The risk is higher if CAS is enabled on the management interface and lower when other login interfaces are used. This issue affects PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma Access are not impacted. Successful exploitation allows unauthorized access to the affected PAN-OS device, potentially leading to configuration changes, data compromise, or service disruption. Palo Alto Networks is not aware of any malicious exploitation of this issue.

Attack Chain

1. Attacker identifies a vulnerable PAN-OS device with CAS enabled on a login interface.
2. Attacker gains network access to the PAN-OS device.
3. Attacker sends a crafted request to the PAN-OS device, bypassing the CAS authentication check.
4. PAN-OS improperly verifies the cryptographic signature, allowing the bypass.
5. The device grants the attacker unauthorized access.
6. Attacker accesses sensitive configuration data.
7. Attacker modifies the PAN-OS device configuration.
8. Attacker disrupts services or exfiltrates data.

Impact

Successful exploitation of CVE-2026-0265 can lead to complete compromise of the affected Palo Alto Networks PAN-OS device. An attacker can gain unauthorized access to sensitive configuration data, modify device settings, disrupt network services, or potentially exfiltrate sensitive information. The impact is higher when CAS is enabled on the management interface, potentially affecting critical infrastructure management. Palo Alto Networks is not aware of any malicious exploitation of this issue, but the potential for significant impact remains high for exposed systems.

Recommendation

• Upgrade PAN-OS to a fixed version according to the table provided in the Palo Alto Networks advisory. Specifically, upgrade to PAN-OS 12.1.7, 11.2.12, 11.1.15, or 10.2.18-h6 or later versions.
• Apply the workaround to secure access to the management interface by restricting access to only trusted internal IP addresses, as described in the Palo Alto Networks LIVEcommunity article and technical documentation.
• As an alternative mitigation, disable the Cloud Authentication Service (CAS) by changing the associated authentication profile to SAML, RADIUS, or other supported authentication methods.
• Customers with a Threat Prevention subscription should enable Threat ID 510008 from Applications and Threats content version 9100-10044 and later to block attacks for this vulnerability.