CVE-2026-9831

{"id": "CVE-2026-9831", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "1c053176-eef3-4d6a-ae0b-24728c86587b", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.8}]}, "published": "2026-05-29T22:16:23.980", "references": [{"url": "https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2026-048-extremecloud-iq-cross-tenant-data-exposure-via/ba-p/121851", "source": "1c053176-eef3-4d6a-ae0b-24728c86587b"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "1c053176-eef3-4d6a-ae0b-24728c86587b", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-488"}]}], "descriptions": [{"lang": "en", "value": "A race condition in the shared Extreme Platform\nONE IAM Gateway API-key authentication path could, under specific\nhigh-concurrency traffic conditions, intermittently allow requests\nauthenticated with an Extreme Platform ONE /IAM-issued API key to receive\nresponse data for another tenant. The issue was observed through ExtremeCloud\nIQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE\n/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT\nauthentication were not affected."}], "lastModified": "2026-06-01T18:02:29.343", "sourceIdentifier": "1c053176-eef3-4d6a-ae0b-24728c86587b"}