Preface: Nginx in PAN-OS assists in routing traffic to backend management components, such as those responsible for user authentication and Captive Portal functionality.

Background: Palo Alto Networks firewalls can intercept HTTP and HTTPS traffic from unauthenticated users and redirect them to an internal web server (the Authentication Portal) to collect credentials and establish a user-to-IP mapping.

This feature, now known as the Authentication Portal (formerly Captive Portal), is designed to enforce security policies based on user identity, particularly for guest or BYOD users.

Vulnerability details: A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines.

Why is CVE-2026-0300 Rated So High?

Even though it involves the User-ID Authentication Portal, which is not always internet-facing, it receives a near-perfect score because:

• Unauthenticated Root Access: An attacker does not need to be an admin. They simply send specially crafted packets to the portal to trigger a buffer overflow.
• Zero Interaction: The attack happens silently without any user having to click a link or log in.

High Impact: Once exploited, the attacker gains root control of the firewall. According to Unit 42, attackers have used this to enumerate Active Directory, steal credentials, and destroy logs.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-0300

Impacted Devices:

• PA-Series and VM-Series firewalls.
• Prisma Access and Cloud NGFW are reported to be unaffected