PAN-OS: Panorama session disclosure during context switch into managed device
Description
An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. This vulnerability allows an attacker to gain privileged access to the Panorama web interface. An attacker requires some knowledge of managed firewalls to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Panorama session token disclosure during context switch allows attacker to gain privileged access to Panorama web interface.
Vulnerability
An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. This issue impacts PAN-OS 8.1 versions earlier than 8.1.17, PAN-OS 9.0 versions earlier than 9.0.11, and PAN-OS 9.1 versions earlier than 9.1.5 [1].
Exploitation
An attacker requires some knowledge of managed firewalls to exploit this issue. The attacker must be in a position to observe the token disclosed to a managed device during a context switch performed by the Panorama administrator. The attack complexity is high and user interaction is required, as the administrator must perform the context switch [1].
Impact
Successful exploitation allows an attacker to gain privileged access to the Panorama web interface, potentially leading to high confidentiality, integrity, and availability impact [1].
Mitigation
This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions. A workaround is to enable custom certificate authentication between Panorama and managed firewalls, which completely mitigates the issue [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: PAN-OS 8.1 < 8.1.17, PAN-OS 9.0 < 9.0.11, PAN-OS 9.1 < 9.1.5
- Range: 8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- security.paloaltonetworks.com/CVE-2020-2022mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.