CVE-2026-0285 PAN-OS: Server-Side Request Forgery Vulnerability in Management Web Interface
Description
A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized requests from the firewall to internal services.
The security risk posed by this issue is minimized when the management interface is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h8 < 12.1.7-h2 < 12.1.8 | >= 12.1.4-h8 >= 12.1.7-h2 >= 12.1.8 |
| PAN-OS 11.2 | < 11.2.4-h20 < 11.2.7-h18 < 11.2.10-h11 < 11.2.13 | >= 11.2.4-h20 >= 11.2.7-h18 >= 11.2.10-h11 >= 11.2.13 |
| PAN-OS 11.1 | < 11.1.4-h35 < 11.1.6-h35 < 11.1.7-h8 < 11.1.10-h30 < 11.1.13-h9 < 11.1.16 | >= 11.1.4-h35 >= 11.1.6-h35 >= 11.1.7-h8 >= 11.1.10-h30 >= 11.1.13-h9 >= 11.1.16 |
| PAN-OS 10.2 | < 10.2.7-h36 < 10.2.10-h39 < 10.2.13-h23 < 10.2.16-h9 < 10.2.18-h8 | >= 10.2.7-h36 >= 10.2.10-h39 >= 10.2.13-h23 >= 10.2.16-h9 >= 10.2.18-h8 |
| Prisma Access | None | All |
Required Configuration for Exposure
The risk is greatest if you enabled access to the management interface from the internet or any untrusted network either:
- Directly; or
- Through a dataplane interface that includes a management interface profile.
You reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management interface.
Severity: MEDIUM, Suggested Urgency: MODERATE
The risk is highest when you allow access to the management interface from external IP addresses on the internet.
MEDIUM
- CVSS-BT: 4.7 /CVSS-B: 7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
You can reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface.
MEDIUM
- CVSS-BT: 4.4 /CVSS-B: 6.9 (CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-918 Server-Side Request Forgery (SSRF)
CAPEC-664 Server-Side Request Forgery
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 12.1 |
12.1.5 through 12.1.7-h* | Upgrade to 12.1.7-h2 or 12.1.8 or later. |
| 12.1.2 through 12.1.4-h* | Upgrade to 12.1.4-h8 or 12.1.8 or later. | |
| PAN-OS 11.2 |
11.2.11 through 11.2.12 | Upgrade to 11.2.13 or later. |
| 11.2.8 through 11.2.10-h* | Upgrade to 11.2.10-h11 or 11.2.13 or later. | |
| 11.2.5 through 11.2.7-h* | Upgrade to 11.2.7-h18 or 11.2.13 or later. | |
| 11.2.0 through 11.2.4-h* | Upgrade to 11.2.4-h20 or 11.2.13 or later. | |
| PAN-OS 11.1 |
11.1.14 through 11.1.15 | Upgrade to 11.1.16 or later. |
| 11.1.11 through 11.1.13-h* | Upgrade to 11.1.13-h9 or 11.1.16 or later. | |
| 11.1.8 through 11.1.10-h* | Upgrade to 11.1.10-h30 or 11.1.16 or later. | |
| 11.1.7 through 11.1.7-h* | Upgrade to 11.1.7-h8 or 11.1.16 or later. | |
| 11.1.5 through 11.1.6-h* | Upgrade to 11.1.6-h35 or 11.1.16 or later. | |
| 11.1.0 through 11.1.4-h* | Upgrade to 11.1.4-h35 or 11.1.16 or later. | |
| PAN-OS 10.2 |
10.2.17 through 10.2.18-h* | Upgrade to 10.2.18-h8 or later. |
| 10.2.14 through 10.2.16-h* | Upgrade to 10.2.16-h9 or later. | |
| 10.2.11 through 10.2.13-h* | Upgrade to 10.2.13-h23 or later. | |
| 10.2.8 through 10.2.10-h* | Upgrade to 10.2.10-h39 or later. | |
| 10.2.0 through 10.2.7-h* | Upgrade to 10.2.7-h36 or later. | |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access | No action needed. |
Workarounds and Mitigations
The vast majority of firewalls already follow Palo Alto Networks' and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict management interface access to only trusted internal IP addresses.
Review information about how to secure management access to your Palo Alto Networks firewalls:
- Palo Alto Networks LIVEcommunity article
- Palo Alto Networks official and detailed technical documentation
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510030 (from Applications and Threats content version 9122-10145 and later). For these Threat IDs to protect against attacks for this vulnerability:
- Route incoming traffic for the MGT port through a DP port e.g., enabling management profile on a DP interface for management access
- Replace the Certificate for Inbound Traffic Management.
- Decrypt inbound traffic to the management interface so the firewall can inspect it.
- Enable threat prevention on the inbound traffic to management services.
Please note that this Threat ID requires SSL Decryption.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:12.1.7:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h3:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h2:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.4 and up to (excluding)12.1.4-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.7 and up to (excluding)12.1.7-h2
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.4 and up to (excluding)11.2.4-h20
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.10 and up to (excluding)11.2.10-h11
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.13
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.7 and up to (excluding)11.1.7-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h30
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.13 and up to (excluding)11.1.13-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.16
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.7 and up to (excluding)10.2.7-h36
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.13 and up to (excluding)10.2.13-h23
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.16 and up to (excluding)10.2.16-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.18 and up to (excluding)10.2.18-h8