Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	We have developed and implemented processes to assess, identify, and manage material risks from cybersecurity threats. Our cybersecurity processes leverage international best practices and standards issued by the U.S. National Institute of Standards and Technology (NIST), the International Organization for Standardizations (ISO), the International Society of Automation (ISA), the International Electrotechnical Commission (IEC), the American Institute of Certified Public Accountants (AICPA), the Cloud Security Alliance (CSA) and the Center for Internet Security (CIS), as well as those issued in this area by the Agency for Digital Transformation and Telecommunications (ATDT) of the Government of Mexico, and Mexican laws on personal data protection, among others. Key elements of our cybersecurity risk management framework include: •risk assessments designed to identify, evaluate and prioritize cybersecurity risks to our critical infrastructure and our broader enterprise IT environment; •implementation of strategy on identity management, authentication and digital access controls; •preparation of technical analyses and policies regarding cybersecurity; •a security team principally responsible for designing, managing, monitoring and improving our cybersecurity risk and vulnerability assessment processes, architecture, security controls and responses to cybersecurity incidents; •cybersecurity training for our employees, incident response personnel and senior management; and •our Centro de Respuesta a Incidentes de Ciberseguridad (Cybersecurity Incident Response Center), which is responsible for cybersecurity incident prevention, monitoring, identification, containment, eradication, recovery and improvement efforts, including cyber intelligence, prevention and reporting of cyber fraud and extortion. Our cybersecurity processes are integrated into our overall risk management system. We utilize our comprehensive Marco de Administración de Riesgos Empresariales (Enterprise Risk Management Framework, or “MARE”) to assess, identify, and manage material risks, including risks related to cybersecurity threats or breaches, business disruption, financial reporting, industrial systems, intellectual property theft, fraud, extortion, employee or customer harm, system hacking, malware, cyberterrorism, misuse of information technology assets, internal control failures, information leakage, litigation, and legal and reputational risks. We engage third parties in connection with our cybersecurity processes. This includes working with external experts to strengthen cybersecurity operations, validate and test our security architecture, manage vulnerabilities, train our personnel and address emerging threats. Our Cybersecurity Incident Response Center also collaborates with other specialized cybersecurity centers in Mexico, such as the Centro de Respuesta a Incidentes Cibernéticos managed by the National Guard, and receives information from reliable international sources to coordinate responses to cybersecurity events and incidents with specialized entities. Moreover, our cybersecurity specialists maintain ongoing communication and collaboration with ATDT specialists of the Mexican Government to strengthen the prevention and management of emerging threats. In an effort to mitigate risk factors associated with our third-party service providers, we routinely include confidentiality, intellectual property protection and personal data protection clauses in our contracts, conduct due diligence of third parties, including assessments of their information security strategies, policies and controls, and require operational technology service providers to comply with applicable cybersecurity standards and controls.See “Item 3—Key Information—Risk Factors—Risk Factors Related to Our Operations—We are exposed to cybersecurity incidents and attacks that could materially adversely affect our business, results of operations and financial condition”.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	Our cybersecurity processes are integrated into our overall risk management system. We utilize our comprehensive Marco de Administración de Riesgos Empresariales (Enterprise Risk Management Framework, or “MARE”) to assess, identify, and manage material risks, including risks related to cybersecurity threats or breaches, business disruption, financial reporting, industrial systems, intellectual property theft, fraud, extortion, employee or customer harm, system hacking, malware, cyberterrorism, misuse of information technology assets, internal control failures, information leakage, litigation, and legal and reputational risks.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Board of Directors Oversight [Text Block]	Board of Directors The Audit Committee of our Board of Directors is responsible for overseeing our overall risk management systems and processes and is primarily responsible for verifying compliance with our strategic objectives pursuant to our Business Plan. This includes preparing comparative analyses between the goals and commitments established in our Business Plan and the results achieved, as well as proposing adjustments and actions to our Board of Directors to correct any identified deficiencies.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	The Audit Committee of our Board of Directors is responsible for overseeing our overall risk management systems and processes and is primarily responsible for verifying compliance with our strategic objectives pursuant to our Business Plan. This includes preparing comparative analyses between the goals and commitments established in our Business Plan and the results achieved, as well as proposing adjustments and actions to our Board of Directors to correct any identified deficiencies. Our Audit Committee and our Board of Directors receive monthly and annual reports on Information Technology matters from our Unidad de Control Interno Institucional (Institutional Internal Control Unit) and our Office of Internal Audit. Where applicable, these reports summarize our cybersecurity activities and incidents and include observations and recommendations to improve our procedural and operational management. Additionally, the Deputy Director of Information and Communications Technology monitors PEMEX’s cybersecurity status on a daily basis and reports periodically to the Chief Administrative Services Officer and to the Risk Committee of Petróleos Mexicanos.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our Audit Committee and our Board of Directors receive monthly and annual reports on Information Technology matters from our Unidad de Control Interno Institucional (Institutional Internal Control Unit) and our Office of Internal Audit. Where applicable, these reports summarize our cybersecurity activities and incidents and include observations and recommendations to improve our procedural and operational management. Additionally, the Deputy Director of Information and Communications Technology monitors PEMEX’s cybersecurity status on a daily basis and reports periodically to the Chief Administrative Services Officer and to the Risk Committee of Petróleos Mexicanos.
Cybersecurity Risk Role of Management [Text Block]	Management The cybersecurity risk management processes described above are implemented through our Information and Communications Technology Sub-Directorate and the Information Security Office. Alongside the Risk Committee of Petróleos Mexicanos, these areas are responsible for implementing strategies, initiatives, action plans and activities to strengthen cybersecurity management processes, issuing internal policies and regulations regarding cybersecurity, identity management, user access controls and the protection of sensitive digital information. It also considers solutions, tools and services contracted through specialized suppliers. The Information and Communications Technology Sub-Directorate is composed of the Deputy Director, coordinators and managers. The Deputy Director is responsible, among other duties, for defining the Information Technology strategy and coordinating PEMEX’s cybersecurity strategy. The Deputy Director has over three decades of experience in the design, implementation and management of technological solutions, and information security processes for incident response. He holds a degree in Computer Science with a focus on Systems Engineering, complemented by international programs in Digital Transformation and Executive Modernization. The coordinators supervise the managers to ensure that their functions are carried out in accordance with our cybersecurity strategy. Managers collaborate with specialists across the different technological domains to operate cybersecurity controls in accordance with our cybersecurity strategy. The Information Security Office is led by the Information Security Manager and is composed of 30 professionals. The Information Security Manager is an expert in cybersecurity management, with specialization in national security, and holds certifications including CISM, CRISC, CISA and ISO 22301. The 30 professionals are experts and specialists in different cybersecurity matters and are continuously trained. Working in coordination with specialists across various technology domains, they collectively hold certifications such as Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Auditor (CISA), GIAC Certified Forensic Analyst (GIAC-GCFA), Certified Secure Software Lifecycle Professional (CSSLP), ISO 22301 and 31000, ISO/IEC 27001 and 27017, Industrial Cybersecurity Implementation V3.20, Cybersecurity Certification CC (ISC)², CompTIA Security+ and eJPTv2 Certification.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	The cybersecurity risk management processes described above are implemented through our Information and Communications Technology Sub-Directorate and the Information Security Office. Alongside the Risk Committee of Petróleos Mexicanos, these areas are responsible for implementing strategies, initiatives, action plans and activities to strengthen cybersecurity management processes, issuing internal policies and regulations regarding cybersecurity, identity management, user access controls and the protection of sensitive digital information. It also considers solutions, tools and services contracted through specialized suppliers.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	The Information and Communications Technology Sub-Directorate is composed of the Deputy Director, coordinators and managers. The Deputy Director is responsible, among other duties, for defining the Information Technology strategy and coordinating PEMEX’s cybersecurity strategy. The Deputy Director has over three decades of experience in the design, implementation and management of technological solutions, and information security processes for incident response. He holds a degree in Computer Science with a focus on Systems Engineering, complemented by international programs in Digital Transformation and Executive Modernization. The coordinators supervise the managers to ensure that their functions are carried out in accordance with our cybersecurity strategy. Managers collaborate with specialists across the different technological domains to operate cybersecurity controls in accordance with our cybersecurity strategy. The Information Security Office is led by the Information Security Manager and is composed of 30 professionals. The Information Security Manager is an expert in cybersecurity management, with specialization in national security, and holds certifications including CISM, CRISC, CISA and ISO 22301. The 30 professionals are experts and specialists in different cybersecurity matters and are continuously trained. Working in coordination with specialists across various technology domains, they collectively hold certifications such as Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Auditor (CISA), GIAC Certified Forensic Analyst (GIAC-GCFA), Certified Secure Software Lifecycle Professional (CSSLP), ISO 22301 and 31000, ISO/IEC 27001 and 27017, Industrial Cybersecurity Implementation V3.20, Cybersecurity Certification CC (ISC)², CompTIA Security+ and eJPTv2 Certification. The Information Security Manager of Petróleos Mexicanos serves as the Institutional Cybersecurity Officer designated by the Chief Executive Officer before the ATDT and is responsible for developing the cybersecurity strategy and defining the architecture and monitoring and protection mechanisms to manage cybersecurity risks at PEMEX.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The Information and Communications Technology Sub-Directorate is composed of the Deputy Director, coordinators and managers. The Deputy Director is responsible, among other duties, for defining the Information Technology strategy and coordinating PEMEX’s cybersecurity strategy. The Deputy Director has over three decades of experience in the design, implementation and management of technological solutions, and information security processes for incident response. He holds a degree in Computer Science with a focus on Systems Engineering, complemented by international programs in Digital Transformation and Executive Modernization. The coordinators supervise the managers to ensure that their functions are carried out in accordance with our cybersecurity strategy. Managers collaborate with specialists across the different technological domains to operate cybersecurity controls in accordance with our cybersecurity strategy.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We have developed and implemented processes to assess, identify, and manage material risks from cybersecurity threats. Our cybersecurity processes leverage international best practices and standards issued by the U.S. National Institute of Standards and Technology (NIST), the International Organization for Standardizations (ISO), the International Society of Automation (ISA), the International Electrotechnical Commission (IEC), the American Institute of Certified Public Accountants (AICPA), the Cloud Security Alliance (CSA) and the Center for Internet Security (CIS), as well as those issued in this area by the Agency for Digital Transformation and Telecommunications (ATDT) of the Government of Mexico, and Mexican laws on personal data protection, among others.

Key elements of our cybersecurity risk management framework include:

•risk assessments designed to identify, evaluate and prioritize cybersecurity risks to our critical infrastructure and our broader enterprise IT environment;

•implementation of strategy on identity management, authentication and digital access controls;

•preparation of technical analyses and policies regarding cybersecurity;

•a security team principally responsible for designing, managing, monitoring and improving our cybersecurity risk and vulnerability assessment processes, architecture, security controls and responses to cybersecurity incidents;

•cybersecurity training for our employees, incident response personnel and senior management; and

•our Centro de Respuesta a Incidentes de Ciberseguridad (Cybersecurity Incident Response Center), which is responsible for cybersecurity incident prevention, monitoring, identification, containment, eradication, recovery and improvement efforts, including cyber intelligence, prevention and reporting of cyber fraud and extortion.

Our cybersecurity processes are integrated into our overall risk management system. We utilize our comprehensive Marco de Administración de Riesgos Empresariales (Enterprise Risk Management Framework, or “MARE”) to assess, identify, and manage material risks, including risks related to cybersecurity threats or breaches, business disruption, financial reporting, industrial systems, intellectual property theft, fraud, extortion, employee or customer harm, system hacking, malware, cyberterrorism, misuse of information technology assets, internal control failures, information leakage, litigation, and legal and reputational risks.

We engage third parties in connection with our cybersecurity processes. This includes working with external experts to strengthen cybersecurity operations, validate and test our security architecture, manage vulnerabilities, train our personnel and address emerging threats. Our Cybersecurity Incident Response Center also collaborates with other specialized cybersecurity centers in Mexico, such as the Centro de Respuesta a Incidentes Cibernéticos managed by the National Guard, and receives information from reliable international sources to coordinate responses to cybersecurity events and incidents with specialized entities.

Moreover, our cybersecurity specialists maintain ongoing communication and collaboration with ATDT specialists of the Mexican Government to strengthen the prevention and management of emerging threats.

In an effort to mitigate risk factors associated with our third-party service providers, we routinely include confidentiality, intellectual property protection and personal data protection clauses in our contracts, conduct due diligence of third parties, including assessments of their information security strategies, policies and controls, and require operational technology service providers to comply with applicable cybersecurity standards and controls.See “Item 3—Key Information—Risk Factors—Risk Factors Related to Our Operations—We are exposed to cybersecurity incidents and attacks that could materially adversely affect our business, results of operations and financial condition”.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Directors

The Audit Committee of our Board of Directors is responsible for overseeing our overall risk management systems and processes and is primarily responsible for verifying compliance with our strategic objectives pursuant to our Business Plan. This includes preparing comparative analyses between the goals and commitments established in our Business Plan and the results achieved, as well as proposing adjustments and actions to our Board of Directors to correct any identified deficiencies.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Audit Committee and our Board of Directors receive monthly and annual reports on Information Technology matters from our Unidad de Control Interno Institucional (Institutional Internal Control Unit) and our Office of Internal Audit. Where applicable, these reports summarize our cybersecurity activities and incidents and include observations and recommendations to improve our procedural and operational management. Additionally, the Deputy Director of Information and Communications Technology monitors PEMEX’s cybersecurity status on a daily basis and reports periodically to the Chief Administrative Services Officer and to the Risk Committee of Petróleos Mexicanos.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Role of Management [Text Block]

Management

The cybersecurity risk management processes described above are implemented through our Information and Communications Technology Sub-Directorate and the Information Security Office. Alongside the Risk Committee of Petróleos Mexicanos, these areas are responsible for implementing strategies, initiatives, action plans and activities to strengthen cybersecurity management processes, issuing internal policies and regulations regarding cybersecurity, identity management, user access controls and the protection of sensitive digital information. It also considers solutions, tools and services contracted through specialized suppliers.

The Information and Communications Technology Sub-Directorate is composed of the Deputy Director, coordinators and managers. The Deputy Director is responsible, among other duties, for defining the Information Technology strategy and coordinating PEMEX’s cybersecurity strategy. The Deputy Director has over three decades of experience in the design, implementation and management of technological solutions, and information security processes for incident response. He holds a degree in Computer Science with a focus on Systems Engineering, complemented by international programs in Digital Transformation and Executive Modernization. The coordinators supervise the managers to ensure that their functions are carried out in accordance with our cybersecurity strategy. Managers collaborate with specialists across the different technological domains to operate cybersecurity controls in accordance with our cybersecurity strategy.

The Information Security Office is led by the Information Security Manager and is composed of 30 professionals.

The Information Security Manager is an expert in cybersecurity management, with specialization in national security, and holds certifications including CISM, CRISC, CISA and ISO 22301.

The 30 professionals are experts and specialists in different cybersecurity matters and are continuously trained. Working in coordination with specialists across various technology domains, they collectively hold certifications such as Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Auditor (CISA), GIAC Certified Forensic Analyst (GIAC-GCFA), Certified Secure Software Lifecycle Professional (CSSLP), ISO 22301 and 31000, ISO/IEC 27001 and 27017, Industrial Cybersecurity Implementation V3.20, Cybersecurity Certification CC (ISC)², CompTIA Security+ and eJPTv2 Certification.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Information Security Office is led by the Information Security Manager and is composed of 30 professionals.

The Information Security Manager is an expert in cybersecurity management, with specialization in national security, and holds certifications including CISM, CRISC, CISA and ISO 22301.

The Information Security Manager of Petróleos Mexicanos serves as the Institutional Cybersecurity Officer designated by the Chief Executive Officer before the ATDT and is responsible for developing the cybersecurity strategy and defining the architecture and monitoring and protection mechanisms to manage cybersecurity risks at PEMEX.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true