CVE-2026-9831
6.3
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Extreme Networks | Extreme Platform ONE | 0 < 25.10.0-104 | affected |
| Extreme Networks | Extreme Platform ONE | 25.10.0-104 | unaffected |
Weaknesses
- CWE-362: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)
- CWE-488: CWE-488 Exposure of data element to wrong session
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.