CVE-2026-20195
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device.
This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Cisco | Cisco Identity Services Engine Software | 3.3.0 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 2 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 1 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 3 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.4.0 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 4 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.4 Patch 1 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 5 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 6 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.4 Patch 2 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 7 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.4 Patch 3 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.5.0 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.4 Patch 4 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 8 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.5 Patch 1 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 9 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.4 Patch 5 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.5 Patch 3 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.5 Patch 2 | affected |
| Cisco | Cisco Identity Services Engine Software | 3.3 Patch 10 | affected |
Weaknesses
- CWE-204: Observable Response Discrepancy
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.