High1 public exploit

Authentication Bypass in Palo Alto PAN-OS with Cloud Authentication Service (CAS) enabled

CVE-2026-0265 CWE-347· Improper Verification of…

CVE-2026-0265 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS caused by improper verification of cryptographic signatures. When an authentication profile using Cloud Authentication Service (CAS) is enabled and attached to a login interface, an unauthenticated attacker with network access can bypass authentication controls on the affected device. Palo Alto states the risk is highest when CAS is enabled on the management interface, though other login interfaces may also be affected at lower risk. The issue affects PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances, including virtual and M-Series deployments. Cloud NGFW and Prisma Access are not affected.

Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to defeat authentication protections on a CAS-enabled PAN-OS login interface. Depending on the exposed interface and role of the targeted system, this can result in unauthorized administrative access to the management plane or unauthorized access through other PAN-OS login surfaces. Public reporting cited the possibility of gaining VPN access via affected GlobalProtect portals, but vendor-confirmed impact in the provided content is authentication bypass on affected PAN-OS devices.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting access to the management web interface to trusted internal IP addresses in line with Palo Alto Networks best-practice guidance. Because exploitation requires network reachability to a CAS-attached login interface, limiting or removing external access to management and other affected login surfaces reduces risk. The content indicates risk is greatly reduced when management interface access is tightly restricted. However, patching is the preferred corrective action.

Remediation

Patch, then assume compromise.

Apply Palo Alto Networks security updates for CVE-2026-0265 on affected PAN-OS releases. The provided content states Palo Alto published patches for many affected version streams on May 13, 2026, with additional fixes expected on May 28, 2026. Organizations running affected PA-Series, VM-Series, or Panorama appliances with CAS enabled should upgrade to a fixed PAN-OS version on an emergency basis. Review Palo Alto Networks' advisory for the exact fixed releases applicable to each supported branch.

PUBLIC EXPLOITS

Exploits

No valid public exploits — Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView all

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Palo Alto NetworksPan-Osapplication

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

21 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

21 SOURCESView all

rapid7 blogNews

May 14, 2026

CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS

A signature verification flaw in Palo Alto Networks PAN-OS that enables authentication bypass when Cloud Authentication Service (CAS) is enabled on a login interface.

ca ccsNews

May 13, 2026

Palo Alto Networks security advisory (AV26-462) - Canadian Centre for Cyber Security

An authentication bypass vulnerability in PAN-OS when Cloud Authentication Service (CAS) is enabled.

The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

NVD

nvd.nist.gov/vuln/detail/CVE-2026-0265

security.paloaltonetworks.com

security.paloaltonetworks.com/CVE-2026-0265