Sometime in early May 2026, an artificial intelligence model built by Anthropic reportedly completed a single automated security scan of Palo Alto Networks products and flagged 26 critical vulnerabilities. If the full count holds up, that one pass would exceed the number of critical-severity advisories the firewall maker typically publishes over roughly five months. Two of those flagged flaws already have entries in the NIST National Vulnerability Database, and one has been added to CISA’s Known Exploited Vulnerabilities catalog, meaning attackers are actively using it against real targets right now.
The episode has forced an uncomfortable question into the open: what happens to traditional vendor patching cycles when AI can compress months of vulnerability discovery into a single session?
Two confirmed flaws, one already under active attack
The first verified issue, CVE-2026-0264, is a buffer overflow in the PAN-OS DNS Proxy and DNS Server component. According to its NVD record, the flaw could allow unauthenticated remote code execution on PA-Series firewalls, a product line deployed across thousands of enterprise and government networks. An attacker who exploits it gains control of the firewall without needing valid credentials.
The second, CVE-2026-0300, involves an out-of-bounds write in the PAN-OS User-ID Authentication Portal. This one carries an additional distinction: CISA has placed it in the Known Exploited Vulnerabilities catalog. Under Binding Operational Directive 22-01, that listing triggers mandatory remediation deadlines for all federal civilian agencies. CISA adds entries to the KEV catalog only after confirming active exploitation through incident reports, threat intelligence, or partner feeds. This is not a theoretical risk.
Both NVD records anchor the activity around early May 2026, placing the discoveries squarely in the current disclosure cycle.
What has not been verified
Beyond those two CVEs, the evidence thins sharply. The central claim, that a single Anthropic model identified all 26 vulnerabilities in one automated run, has circulated through social media and secondary security commentary but lacks a published primary source. No original report, conference presentation, or official disclosure from Anthropic has surfaced to substantiate it. Anthropic has not released a methodology report, scan parameters, or a full list of the findings. Without that documentation, independent researchers cannot verify the scope of the scan, the severity breakdown across the remaining 24 issues, or how the model separated genuine flaws from false positives. Readers should weigh the claim accordingly: its origin is informal and unattributed, not institutional.
Palo Alto Networks has not publicly confirmed or denied the five-month baseline disclosure rate used in the comparison. Disclosure cadence varies by vendor and by quarter, shaped by product release cycles, internal testing pipelines, and coordination with external researchers. The five-month figure may reflect a selective count of advisories rather than a direct vendor metric, or it may aggregate issues of varying severity in ways that distort the comparison. Palo Alto Networks publishes its security advisories publicly, and readers can review the historical pace for themselves.
The remaining 24 vulnerabilities have not been matched to any NVD or CISA entries in publicly available records. Some may be under coordinated disclosure, with details withheld until patches ship. Others could be lower-severity findings that fall below the threshold for CVE assignment, or configuration weaknesses rather than software defects. Some could be duplicates, environmental artifacts, or false positives that a standard triage process would filter out.
It is also unclear whether the AI model operated autonomously or with human-guided prompts that narrowed its search to specific interfaces and code paths. A fully autonomous scan that surfaces 26 distinct critical issues would carry very different implications than a hybrid workflow where researchers steered the model toward known attack surfaces. The reporting so far does not clarify which scenario applies.
Why the confirmed findings still matter on their own
Even setting aside the unverified count of 26, the two confirmed CVEs are serious enough to demand immediate attention. CVE-2026-0264 targets a core network service, DNS proxying, that many organizations leave enabled by default. CVE-2026-0300 is already being exploited in the wild, which means the window between disclosure and weaponization has already closed for defenders who have not patched.
For CVE-2026-0300, federal agencies face a hard remediation deadline under BOD 22-01. Private-sector organizations that follow CISA guidance as a best practice should set their own timelines accordingly. In most environments, that means coordinated maintenance windows, regression testing, and clear communication with business stakeholders about short-term service disruptions. The cost of delay is concrete: adversaries are already using this flaw.
What affected organizations should do now
The first step is straightforward: check your PAN-OS version against Palo Alto Networks’ published advisories for CVE-2026-0264 and CVE-2026-0300, and apply available patches or mitigations immediately. Monitor CISA’s KEV catalog for any additions from the remaining batch of flagged issues.
Network teams should also review whether DNS Proxy and User-ID Authentication Portal services are exposed to untrusted networks. Restricting access to those interfaces shrinks the attack surface even before a patch is deployed. Where architectural constraints prevent immediate isolation, compensating controls can help: strict access control lists, enhanced logging, and intrusion detection rules tuned to suspicious DNS or authentication portal traffic.
AI-accelerated discovery is now part of the threat landscape
Whether the final verified count from this episode lands at 26, 12, or two, the underlying shift is real. AI models are getting faster at finding software flaws, and the gap between discovery and exploitation is compressing. Security programs still built around annual penetration tests or quarterly vulnerability assessments are operating on a timeline that attackers no longer respect.
Organizations that want to stay ahead should be incorporating continuous scanning, automated patch management where feasible, and tighter alignment with authoritative sources like NVD and CISA’s KEV catalog. The most defensible posture right now is to act on what is confirmed, treat the broader claims with informed skepticism, and prepare operationally for a world where critical flaws surface and get weaponized far faster than they used to.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
