CVE-2026-0283 PUBLISHED

PAN-OS: Authentication Bypass Vulnerability in Large Scale VPN (LSVPN)

Assigner: palo_alto
Reserved: 03.11.2025 Published: 09.07.2026 Updated: 09.07.2026

An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN connection.

Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:L/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber
CVSS Score: 4.5

The risk is highest when you allow access to the management interface from external IP addresses on the internet.

Product Status

Vendor Palo Alto Networks
Product Cloud NGFW
Versions Default: unaffected
  • Version All is unaffected
Vendor Palo Alto Networks
Product PAN-OS
Versions Default: unaffected
  • affected from 12.1.0 to 12.1.8 (excl.)
  • affected from 11.2.0 to 11.2.13 (excl.)
  • affected from 11.1.0 to 11.1.16 (excl.)
  • affected from 10.2.0 to 10.2.18-h8 (excl.)
Vendor Palo Alto Networks
Product Prisma Access
Versions Default: unaffected
  • Version All is unaffected

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

  • Vaibhav Nagar (internal reporter) and our internal security research teams finder

References

Problem Types

  • CWE-306 Missing Authentication for Critical Function CWE

Impacts

  • CAPEC-115 Authentication Bypass