CVE-2026-0689

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-0689
In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000134325 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:extremenetworks:extremecloud_iq_site_engine:*:*:*:*:*:*:*:*
History

05 Jun 2026, 19:44

Type Values Removed Values Added
CPE cpe:2.3:a:extremenetworks:extremecloud_iq_site_engine:*:*:*:*:*:*:*:*
Summary
  • (es) En ExtremeCloud IQ – Site Engine (XIQ?SE) anterior a la versión 26.2.10, una vulnerabilidad en la interfaz de administración de NAC permite a un administrador de NAC autenticado recuperar parámetros sensibles enmascarados de las respuestas HTTP. Aunque las credenciales aparecen redactadas en la interfaz de usuario, la aplicación devuelve los valores de credenciales subyacentes en la respuesta HTTP, lo que permite a un administrador autorizado recuperar secretos almacenados que pueden exceder su acceso previsto. Nos gustaría agradecer al Equipo Rojo de Lockheed Martin por informar responsablemente sobre este problema y trabajar con nosotros a través de una divulgación coordinada.
References () https://extreme-networks.my.site.com/ExtrArticleDetail?an=000134325 - () https://extreme-networks.my.site.com/ExtrArticleDetail?an=000134325 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.9
First Time Extremenetworks
Extremenetworks extremecloud Iq Site Engine

02 Mar 2026, 17:16

Type Values Removed Values Added
Summary (en) In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure. (en) In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.

02 Mar 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-02 16:16

Updated : 2026-06-05 19:44

NVD link : CVE-2026-0689

Mitre link : CVE-2026-0689

CVE.ORG link : CVE-2026-0689

JSON object : View

Products Affected

extremenetworks

  • extremecloud_iq_site_engine
CWE
CWE-522

Insufficiently Protected Credentials