OS Command Injection in Palo Alto PAN-OS - CVE-2026-0286

 

OS Command Injection in Palo Alto PAN-OS - CVE-2026-0286

Published: July 10, 2026


Vulnerability identifier: #VU137303
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-0286
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Palo Alto Networks, Inc.
Affected software:
Palo Alto PAN-OS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary OS commands as root.

The vulnerability exists due to improper neutralization of special elements used in an OS command in the management plane CLI when processing crafted CLI input. A remote privileged user can send crafted CLI commands to execute arbitrary OS commands as root.

This issue affects the management plane and does not require special configuration to be exposed.


How to mitigate CVE-2026-0286

Install security update from vendor's website.

Sources