CVE-2026-20193

Summary

A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device.

This vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Identity Services Engine Software3.3.0affected
CiscoCisco Identity Services Engine Software3.3 Patch 2affected
CiscoCisco Identity Services Engine Software3.3 Patch 1affected
CiscoCisco Identity Services Engine Software3.3 Patch 3affected
CiscoCisco Identity Services Engine Software3.4.0affected
CiscoCisco Identity Services Engine Software3.3 Patch 4affected
CiscoCisco Identity Services Engine Software3.4 Patch 1affected
CiscoCisco Identity Services Engine Software3.3 Patch 5affected
CiscoCisco Identity Services Engine Software3.3 Patch 6affected
CiscoCisco Identity Services Engine Software3.4 Patch 2affected
CiscoCisco Identity Services Engine Software3.3 Patch 7affected
CiscoCisco Identity Services Engine Software3.4 Patch 3affected
CiscoCisco Identity Services Engine Software3.5.0affected
CiscoCisco Identity Services Engine Software3.4 Patch 4affected
CiscoCisco Identity Services Engine Software3.3 Patch 8affected
CiscoCisco Identity Services Engine Software3.5 Patch 1affected
CiscoCisco Identity Services Engine Software3.3 Patch 9affected
CiscoCisco Identity Services Engine Software3.4 Patch 5affected
CiscoCisco Identity Services Engine Software3.5 Patch 3affected
CiscoCisco Identity Services Engine Software3.5 Patch 2affected
CiscoCisco Identity Services Engine Software3.3 Patch 10affected

Weaknesses

  • CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References