CVE-2026-0284 PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)
Description
An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.
Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h8 < 12.1.7-h2 < 12.1.8 | >= 12.1.4-h8 >= 12.1.7-h2 >= 12.1.8 |
| PAN-OS 11.2 | < 11.2.4-h20 < 11.2.7-h18 < 11.2.10-h12 < 11.2.13 | >= 11.2.4-h20 >= 11.2.7-h18 >= 11.2.10-h12 >= 11.2.13 |
| PAN-OS 11.1 | < 11.1.4-h35 < 11.1.6-h35 < 11.1.7-h8 < 11.1.10-h30 < 11.1.13-h9 < 11.1.16 | >= 11.1.4-h35 >= 11.1.6-h35 >= 11.1.7-h8 >= 11.1.10-h30 >= 11.1.13-h9 >= 11.1.16 |
| PAN-OS 10.2 | < 10.2.7-h36 < 10.2.10-h39 < 10.2.13-h23 < 10.2.16-h9 < 10.2.18-h8 | >= 10.2.7-h36 >= 10.2.10-h39 >= 10.2.13-h23 >= 10.2.16-h9 >= 10.2.18-h8 |
| Prisma Access | None | All |
Required Configuration for Exposure
This issue is applicable only to firewalls using Large Scale VPN (LSVPN) with configured satellites.
To check if your firewall has LSVPN satellites configured, run the following from the PAN-OS CLI:show config running | match satellite
If output is returned, LSVPN is in use.
You can also verify in the web interface by navigating to Network > GlobalProtect > Portals, selecting each portal, and checking whether the Satellite tab contains any configured satellites.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 4.7 / CVSS-B: 7.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:L/E:U/AU:N/R:A/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
Solution
| Version | Minor Version Range | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 12.1 | 12.1.5 through 12.1.7-h* | Upgrade to 12.1.7-h2 or 12.1.8 or later. |
| 12.1.2 through 12.1.4-h* | Upgrade to 12.1.4-h8 or 12.1.8 or later. | |
| PAN-OS 11.2 | 11.2.11 through 11.2.12 | Upgrade to 11.2.13 or later. |
| 11.2.8 through 11.2.10-h* | Upgrade to 11.2.10-h12 or 11.2.13 or later. | |
| 11.2.5 through 11.2.7-h* | Upgrade to 11.2.7-h18 or 11.2.13 or later. | |
| 11.2.0 through 11.2.4-h* | Upgrade to 11.2.4-h20 or 11.2.13 or later. | |
| PAN-OS 11.1 | 11.1.14 through 11.1.15 | Upgrade to 11.1.16 or later. |
| 11.1.11 through 11.1.13-h* | Upgrade to 11.1.13-h9 or 11.1.16 or later. | |
| 11.1.8 through 11.1.10-h* | Upgrade to 11.1.10-h30 or 11.1.16 or later. | |
| 11.1.7 through 11.1.7-h* | Upgrade to 11.1.7-h8 or 11.1.16 or later. | |
| 11.1.5 through 11.1.6-h* | Upgrade to 11.1.6-h35 or 11.1.16 or later. | |
| 11.1.0 through 11.1.4-h* | Upgrade to 11.1.4-h35 or 11.1.16 or later. | |
| PAN-OS 10.2 | 10.2.17 through 10.2.18-h* | Upgrade to 10.2.18-h8 or later. |
| 10.2.14 through 10.2.16-h* | Upgrade to 10.2.16-h9 or later. | |
| 10.2.11 through 10.2.13-h* | Upgrade to 10.2.13-h23 or later. | |
| 10.2.8 through 10.2.10-h* | Upgrade to 10.2.10-h39 or later. | |
| 10.2.0 through 10.2.7-h* | Upgrade to 10.2.7-h36 or later. | |
| All other older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access | No action needed. |
Workarounds and Mitigations
No known workarounds exist for this issue.
Customers with a Threat Prevention subscription are provided with limited coverage against this vulnerability by enabling Threat ID 510031 (from Applications and Threats content version 9122-10145 and later).
To ensure the Threat ID provides effective protection against this vulnerability, ensure that vulnerability protection security profile is applied to your GlobalProtect interface.
Acknowledgments
Frequently Asked Questions
Q. Why do Threat Prevention signatures provide limited coverage?
Limited coverage in Threat Prevention means that while known attack patterns can be identified using the current Threat ID, variations may exist that cannot currently be detected. If this CVE and Required Configuration for Exposure impact your environment, we recommend upgrading to an unaffected version.
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:12.1.7:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h3:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h2:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.4 and up to (excluding)12.1.4-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.7 and up to (excluding)12.1.7-h2
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.4 and up to (excluding)11.2.4-h20
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.10 and up to (excluding)11.2.10-h12
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.13
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.7 and up to (excluding)11.1.7-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h30
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.13 and up to (excluding)11.1.13-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.16
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.7 and up to (excluding)10.2.7-h36
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.13 and up to (excluding)10.2.13-h23
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.16 and up to (excluding)10.2.16-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.18 and up to (excluding)10.2.18-h8