Skip to main content

Cisco Slido CVE-2026-20219

| EUVDEUVD-2026-27864 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-06 psirt@cisco.com GHSA-83ch-55jw-xp9w
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 17:34 vuln.today

DescriptionCVE.org

A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results.

AnalysisAI

Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

Cisco Slido's REST API implements insufficient access controls on object references, allowing authenticated users to access or modify resources belonging to other users by manipulating request parameters (CWE-639: Authorization Through User-Controlled Key). The vulnerability stems from the API endpoint failing to properly verify that the requesting authenticated user owns or has explicit authorization to access the targeted social profile or poll data. This is a classic IDOR flaw where direct object references (such as user IDs or poll IDs) are passed in API requests without server-side validation of resource ownership. Affected systems are Cisco Slido cloud and on-premises deployments that expose REST API endpoints.

RemediationAI

Cisco has released a patched version addressing this vulnerability. Customers should apply the patch provided in Cisco Security Advisory cisco-sa-slido-idor-CpsFmKxN immediately. No specific patched version number is provided in available data; refer to the advisory link https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-slido-idor-CpsFmKxN for exact update instructions and version numbers. If patching is delayed, implement compensating controls: restrict API endpoint access to specific IP ranges or VPNs, enforce strict role-based access control (RBAC) to limit which users can access quiz and poll management APIs, audit and revoke unnecessary REST API tokens, and monitor API request logs for anomalous patterns (requests for resources not belonging to the requester). These controls have minimal performance impact but may limit legitimate API automation and require ongoing tuning.

Share

CVE-2026-20219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy