topic Re: Palo Alto 820 - Software Update for CVE-2026-0300 in Next-Generation Firewall Discussions

Palo Alto 820 - Software Update for CVE-2026-0300

Netzer — Wed, 06 May 2026 06:27:44 GMT

Hi there,

I'm trying to patch the current secruity waring for CVE-2026-0300, but it is not clear to me which software version will fix the problem.

My current system is on 11.1.10-h10 (PA-820 cluster).

The official document from PA can be found here: https://security.paloaltonetworks.com/CVE-2026-0300

The versions in the product table which would fix the problem, don't appear in my panorama's update list.

So which one will fix the problem?

Any hint?

thx

Daniel

Re: Palo Alto 820 - Software Update for CVE-2026-0300

reaper — Wed, 06 May 2026 07:16:36 GMT

Hi @Netzer

Right now there is no fix available yet. You'll need to apply remediation as suggested in the article under "Workarounds and Mitigations" until a PANOS hotfix is available (expected dates are also listed in the article)

Re: Palo Alto 820 - Software Update for CVE-2026-0300

johnlinkowsky — Wed, 06 May 2026 15:01:10 GMT

Does anyone know what PA (unique) threat ID for this? I checked the Threat Vault, but it says it "has not been reviewed yet" - so no ID attached. I updated my threat signatures, etc., but would like to filter/monitor on if I see any threats associated with this CVE. Thank you.

Re: Palo Alto 820 - Software Update for CVE-2026-0300

rwilkins — Wed, 06 May 2026 15:02:45 GMT

This is a follow up question for anyone that has more knowledge of captive portals than me but does CVE-2026-300 also effect captive portals that are configured in transparent mode?

Re: Palo Alto 820 - Software Update for CVE-2026-0300

chrise_coh — Wed, 06 May 2026 15:54:44 GMT

According to this morning's emergency content update email, the Threat ID is 510019. It was the only change listed for version 9097.

Also, why is this feature on by default? Having an open listener on a port for a service that isn't required is a poor security practice. Surely it can be turned on IF someone decides to use Global Protect? Or are there other functions that needs the captive portal enabled? We probably need to recheck our own best practices and firewall build process, but again, why is this even on by default?

Re: Palo Alto 820 - Software Update for CVE-2026-0300

johnlinkowsky — Wed, 06 May 2026 16:50:53 GMT

I did receive that Emergency alert, but I don't see anywhere on that email where the unique threat ID is listed for THIS CVE - I only see:

Palo Alto Networks PAN-OS Out-of-Bounds Read Vulnerability - 510019 Unique ID which is a medium and 'alert'

It's also not listed on the CVE alert page: https://security.paloaltonetworks.com/CVE-2026-0300

Re: Palo Alto 820 - Software Update for CVE-2026-0300

Adrian_Jensen — Wed, 06 May 2026 16:59:10 GMT

@chrise_coh wrote:

...

Surely it can be turned on IF someone decides to use Global Protect? Or are there other functions that needs the captive portal enabled? We probably need to recheck our own best practices and firewall build process, but again, why is this even on by default?

As far as I can tell, the User-ID Authentication Portal is primarily used for 2 functions:

Authentication of users of a Captive Portal
Authentication of users captured by an Authentication Policy to access a network resource (requiring additional firewall authentication to access by src/dest IP, service, etc.)

Both of these larger functions are enabled by default and this is the underlying authentication method to authorize their use. It appears that this does not affect GlobalProtect using external Portals/Gateways (currently testing across multiple firewalls and several hundred users). There is also some confusion in Reddit forums about whether this affects the User-ID in the Network Zone configurations. I suspect that it does not, I believe the User-ID there refers to whether or not traffic traversing those Zones will have User-ID fields applied in Security/etc. Policies and whether probes will be sent (if configured). But there is not a lot of information available yet.

Re: Palo Alto 820 - Software Update for CVE-2026-0300

chrise_coh — Wed, 06 May 2026 20:24:00 GMT

Adrian_Jensen - thank you for the clarification! I looked up the Reddit info, it looks to be correct - the CVE article has an update with clarification on what's affected:

Customers are impacted if both of the following conditions are true:

User-ID Authentication Portal configured in the User-ID Authentication Portal Settings page. You can verify the configuration by going to Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal (applies to both transparent and redirect modes) and
An interface management profile with response pages enabled and associated with an external/internet-accessible interface. You can verify the configuration by going to Network > Interface > Select the interface > Advanced Tab > Create Management Interface Profile.

Re: Palo Alto 820 - Software Update for CVE-2026-0300

Adrian_Jensen — Wed, 06 May 2026 21:05:04 GMT

@chrise_coh - The CVE article discusses an Interface Management profile attached to an interface ("User-ID" under Network Services in the profile). This is what would run the User-ID Authentication Portal on that interface (and shouldn't generally be available on a "public" interface).

The Reddit thread I was looking at was claiming that having "User-ID" enabled in the Zone (Network->Zones->[zonename]->User Identification ACL->Enable User Identification) also exposed the vulnerability. I believe this is incorrect as the NGFW manual states:

If you configured User-ID... the best practice is to Enable User Identification to apply the mapping information to traffic in this zone. If you disable this option, firewall logs, reports, and policies will exclude user mapping information for traffic within the zone. By default, if you select this option, the firewall applies user mapping information to the traffic of all subnetworks in the zone...

The Zone User-ID use would seem to only apply to its use in Security/NAT Policies, logging, etc. The vulnerability would seem to apply only to the User-ID Authentication Portal (where a user is required to identify themselves for further access), not to anywhere User-ID is used in the firewall. Or at least the best I can figure.