CVE-2026-9831 (GCVE-0-2026-9831)

Vulnerability from cvelistv5 – Published: 2026-05-29 21:19 – Updated: 2026-05-29 21:19
VLAI
Title
ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition
Summary
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
Severity
6.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE
  • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)
  • CWE-488 - Exposure of data element to wrong session
Assigner
References
Impacted products
Vendor Product Version
Extreme Networks Extreme Platform ONE Affected: 0 , < 25.10.0-104 (custom)
Unaffected: 25.10.0-104 (custom)
Create a notification for this product.
Date Public
2026-05-29 21:09
Credits
Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible discovery and disclosure of this vulnerability. Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible coordination and providing detailed evidence supporting root cause identification.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "SaaS (Cloud Hosted)"
          ],
          "product": "Extreme Platform ONE",
          "vendor": "Extreme Networks",
          "versions": [
            {
              "lessThan": "25.10.0-104",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "25.10.0-104",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible discovery and disclosure of this vulnerability."
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible coordination and providing detailed evidence supporting root cause identification."
        }
      ],
      "datePublic": "2026-05-29T21:09:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A race condition in the shared Extreme Platform\nONE IAM Gateway API-key authentication path could, under specific\nhigh-concurrency traffic conditions, intermittently allow requests\nauthenticated with an Extreme Platform ONE /IAM-issued API key to receive\nresponse data for another tenant. The issue was observed through ExtremeCloud\nIQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE\n/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT\nauthentication were not affected."
            }
          ],
          "value": "A race condition in the shared Extreme Platform\nONE IAM Gateway API-key authentication path could, under specific\nhigh-concurrency traffic conditions, intermittently allow requests\nauthenticated with an Extreme Platform ONE /IAM-issued API key to receive\nresponse data for another tenant. The issue was observed through ExtremeCloud\nIQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE\n/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT\nauthentication were not affected."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-74",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-74: Manipulating State"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-488",
              "description": "CWE-488 Exposure of data element to wrong session",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T21:19:17.118Z",
        "orgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
        "shortName": "ExtremeNetworks"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2026-048-extremecloud-iq-cross-tenant-data-exposure-via/ba-p/121851"
        }
      ],
      "source": {
        "advisory": "SA-2026-048",
        "discovery": "EXTERNAL"
      },
      "title": "ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1c053176-eef3-4d6a-ae0b-24728c86587b",
    "assignerShortName": "ExtremeNetworks",
    "cveId": "CVE-2026-9831",
    "datePublished": "2026-05-29T21:19:17.118Z",
    "dateReserved": "2026-05-28T12:21:45.520Z",
    "dateUpdated": "2026-05-29T21:19:17.118Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-9831\",\"sourceIdentifier\":\"1c053176-eef3-4d6a-ae0b-24728c86587b\",\"published\":\"2026-05-29T22:16:23.980\",\"lastModified\":\"2026-05-29T22:16:23.980\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A race condition in the shared Extreme Platform\\nONE IAM Gateway API-key authentication path could, under specific\\nhigh-concurrency traffic conditions, intermittently allow requests\\nauthenticated with an Extreme Platform ONE /IAM-issued API key to receive\\nresponse data for another tenant. The issue was observed through ExtremeCloud\\nIQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE\\n/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT\\nauthentication were not affected.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"1c053176-eef3-4d6a-ae0b-24728c86587b\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"1c053176-eef3-4d6a-ae0b-24728c86587b\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"},{\"lang\":\"en\",\"value\":\"CWE-488\"}]}],\"references\":[{\"url\":\"https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2026-048-extremecloud-iq-cross-tenant-data-exposure-via/ba-p/121851\",\"source\":\"1c053176-eef3-4d6a-ae0b-24728c86587b\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.