CVE-2026-9831
ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition
CVSS Score
6.3
EPSS Score
0.1%
EPSS Percentile
16th
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
| CWE | CWE-362 CWE-488 |
| Vendor | extreme networks |
| Product | extreme platform one |
| Published | May 29, 2026 |
| Last Updated | Jun 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for extreme networks extreme platform one
Be the first to know when new medium vulnerabilities affecting extreme networks extreme platform one are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
Extreme Networks / Extreme Platform ONE
0 < 25.10.0-104
References
Credits
Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible discovery and disclosure of this vulnerability. ๐ Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible coordination and providing detailed evidence supporting root cause identification.