05-05-2026 11:27 PM
Hi there,
I'm trying to patch the current secruity waring for CVE-2026-0300, but it is not clear to me which software version will fix the problem.
My current system is on 11.1.10-h10 (PA-820 cluster).
The official document from PA can be found here: https://security.paloaltonetworks.com/CVE-2026-0300
The versions in the product table which would fix the problem, don't appear in my panorama's update list.
So which one will fix the problem?
Any hint?
thx
Daniel
05-06-2026 12:16 AM
Hi @Netzer
Right now there is no fix available yet. You'll need to apply remediation as suggested in the article under "Workarounds and Mitigations" until a PANOS hotfix is available (expected dates are also listed in the article)
05-06-2026 12:16 AM
Hi @Netzer
Right now there is no fix available yet. You'll need to apply remediation as suggested in the article under "Workarounds and Mitigations" until a PANOS hotfix is available (expected dates are also listed in the article)
05-06-2026 08:01 AM
Does anyone know what PA (unique) threat ID for this? I checked the Threat Vault, but it says it "has not been reviewed yet" - so no ID attached. I updated my threat signatures, etc., but would like to filter/monitor on if I see any threats associated with this CVE. Thank you.
05-06-2026 08:02 AM
This is a follow up question for anyone that has more knowledge of captive portals than me but does CVE-2026-300 also effect captive portals that are configured in transparent mode?
05-06-2026 08:54 AM
According to this morning's emergency content update email, the Threat ID is 510019. It was the only change listed for version 9097.
Also, why is this feature on by default? Having an open listener on a port for a service that isn't required is a poor security practice. Surely it can be turned on IF someone decides to use Global Protect? Or are there other functions that needs the captive portal enabled? We probably need to recheck our own best practices and firewall build process, but again, why is this even on by default?
05-06-2026 09:50 AM
I did receive that Emergency alert, but I don't see anywhere on that email where the unique threat ID is listed for THIS CVE - I only see:
|
Palo Alto Networks PAN-OS Out-of-Bounds Read Vulnerability - 510019 Unique ID which is a medium and 'alert' |
It's also not listed on the CVE alert page: https://security.paloaltonetworks.com/CVE-2026-0300
05-06-2026 09:59 AM
@chrise_coh wrote:
...
Surely it can be turned on IF someone decides to use Global Protect? Or are there other functions that needs the captive portal enabled? We probably need to recheck our own best practices and firewall build process, but again, why is this even on by default?
As far as I can tell, the User-ID Authentication Portal is primarily used for 2 functions:
Both of these larger functions are enabled by default and this is the underlying authentication method to authorize their use. It appears that this does not affect GlobalProtect using external Portals/Gateways (currently testing across multiple firewalls and several hundred users). There is also some confusion in Reddit forums about whether this affects the User-ID in the Network Zone configurations. I suspect that it does not, I believe the User-ID there refers to whether or not traffic traversing those Zones will have User-ID fields applied in Security/etc. Policies and whether probes will be sent (if configured). But there is not a lot of information available yet.
05-06-2026 01:24 PM
Adrian_Jensen - thank you for the clarification! I looked up the Reddit info, it looks to be correct - the CVE article has an update with clarification on what's affected:
Customers are impacted if both of the following conditions are true:
05-06-2026 02:03 PM - edited 05-06-2026 02:05 PM
@chrise_coh - The CVE article discusses an Interface Management profile attached to an interface ("User-ID" under Network Services in the profile). This is what would run the User-ID Authentication Portal on that interface (and shouldn't generally be available on a "public" interface).
The Reddit thread I was looking at was claiming that having "User-ID" enabled in the Zone (Network->Zones->[zonename]->User Identification ACL->Enable User Identification) also exposed the vulnerability. I believe this is incorrect as the NGFW manual states:
If you configured User-ID... the best practice is to Enable User Identification to apply the mapping information to traffic in this zone. If you disable this option, firewall logs, reports, and policies will exclude user mapping information for traffic within the zone.
By default, if you select this option, the firewall applies user mapping information to the traffic of all subnetworks in the zone...
The Zone User-ID use would seem to only apply to its use in Security/NAT Policies, logging, etc. The vulnerability would seem to apply only to the User-ID Authentication Portal (where a user is required to identify themselves for further access), not to anywhere User-ID is used in the firewall. Or at least the best I can figure.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
