Back to overview

CVE-2026-0283

MEDIUM
4.5
CVSS 4.0
Description
An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN connection. Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.

Metadata

CVE ID
CVE-2026-0283
State
PUBLISHED
Assigner
palo_alto
Reserved
2025-11-03 20:44 UTC
Published
2026-07-09 19:01 UTC
Last updated
2026-07-09 19:25 UTC
Primary CWE
CWE-306
CWE-306 Missing Authentication for Critical Function
Vendor / Product
Palo Alto Networks / Cloud NGFW
Sources
cve.org  ·  NVD

Severity & Metrics

4.5 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:L/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (3)
VendorProductPlatformVersions
Palo Alto Networks Cloud NGFW All
Palo Alto Networks PAN-OS 12.1.0 < 12.1.8, 11.2.0 < 11.2.13, 11.1.0 < 11.1.16, 10.2.0 < 10.2.18-h8
Palo Alto Networks Prisma Access All
Weakness (CWE)
CWESourceDescription
CWE-306 cna CWE-306 Missing Authentication for Critical Function
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.5 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:L/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber
Back to overview