CVE-2026-9831 (GCVE-0-2026-9831)
Vulnerability from cvelistv5 – Published: 2026-05-29 21:19 – Updated: 2026-06-01 13:53
VLAI?
Title
ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition
Summary
A race condition in the shared Extreme Platform
ONE IAM Gateway API-key authentication path could, under specific
high-concurrency traffic conditions, intermittently allow requests
authenticated with an Extreme Platform ONE /IAM-issued API key to receive
response data for another tenant. The issue was observed through ExtremeCloud
IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE
/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT
authentication were not affected.
Severity ?
6.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Extreme Networks | Extreme Platform ONE |
Affected:
0 , < 25.10.0-104
(custom)
Unaffected: 25.10.0-104 (custom) |
Credits
Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible discovery and disclosure of this vulnerability.
Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible coordination and providing detailed evidence supporting root cause identification.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T13:52:52.575235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T13:53:05.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"SaaS (Cloud Hosted)"
],
"product": "Extreme Platform ONE",
"vendor": "Extreme Networks",
"versions": [
{
"lessThan": "25.10.0-104",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "25.10.0-104",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible discovery and disclosure of this vulnerability."
},
{
"lang": "en",
"type": "reporter",
"value": "Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible coordination and providing detailed evidence supporting root cause identification."
}
],
"datePublic": "2026-05-29T21:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A race condition in the shared Extreme Platform\nONE IAM Gateway API-key authentication path could, under specific\nhigh-concurrency traffic conditions, intermittently allow requests\nauthenticated with an Extreme Platform ONE /IAM-issued API key to receive\nresponse data for another tenant. The issue was observed through ExtremeCloud\nIQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE\n/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT\nauthentication were not affected."
}
],
"value": "A race condition in the shared Extreme Platform\nONE IAM Gateway API-key authentication path could, under specific\nhigh-concurrency traffic conditions, intermittently allow requests\nauthenticated with an Extreme Platform ONE /IAM-issued API key to receive\nresponse data for another tenant. The issue was observed through ExtremeCloud\nIQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE\n/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT\nauthentication were not affected."
}
],
"impacts": [
{
"capecId": "CAPEC-74",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-74: Manipulating State"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-488",
"description": "CWE-488 Exposure of data element to wrong session",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T21:19:17.118Z",
"orgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
"shortName": "ExtremeNetworks"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2026-048-extremecloud-iq-cross-tenant-data-exposure-via/ba-p/121851"
}
],
"source": {
"advisory": "SA-2026-048",
"discovery": "EXTERNAL"
},
"title": "ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
"assignerShortName": "ExtremeNetworks",
"cveId": "CVE-2026-9831",
"datePublished": "2026-05-29T21:19:17.118Z",
"dateReserved": "2026-05-28T12:21:45.520Z",
"dateUpdated": "2026-06-01T13:53:05.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…