Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
AnalysisAI
Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.
Technical ContextAI
The vulnerability is rooted in CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization), commonly referred to as a race condition. The shared IAM Gateway component responsible for API-key authentication in Extreme Platform ONE processes requests against a shared resource - likely a session context, response buffer, or tenant-resolution cache - without adequate synchronization under concurrent load. When two or more API-key-authenticated requests arrive simultaneously, a thread interleaving window can cause the IAM Gateway to associate the response for one tenant with the authenticated context of another. The affected product is identified by CPE cpe:2.3:a:extreme_networks:extreme_platform_one:*:*:*:*:*:*:*:* (all versions per NVD CPE wildcard), spanning its ExtremeCloud IQ (XIQ) and Common Services API surfaces. The CVSS Changed Scope (S:C) confirms the vulnerability crosses the tenant isolation security boundary, which is the primary architectural guarantee of any multi-tenant SaaS platform.
RemediationAI
The primary remediation is to apply the vendor-supplied fix detailed in Extreme Networks Security Advisory SA-2026-048 at https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2026-048-extremecloud-iq-cross-tenant-data-exposure-via/ba-p/121851. No specific patched version number was included in the available input data, so the exact fix version must be confirmed directly against the advisory - do not assume a version without verifying. As an interim compensating control, organizations that exclusively use XIQ-native tokens or OAuth/Bearer JWT for API authentication can note that those paths are confirmed unaffected; auditing API key usage and migrating high-privilege integrations to JWT-based authentication would reduce exposure while awaiting patch deployment. Restricting Extreme Platform ONE IAM API key usage to low-concurrency, non-production workloads limits the race window's exploitability, though this is operationally disruptive. Rate-limiting or queuing API-key-authenticated traffic at the gateway layer may narrow the race window but does not eliminate it and should not be treated as a permanent fix. Rotating all existing IAM-issued API keys after patching is advisable, as any key that was active during a vulnerable period could theoretically have been the beneficiary or victim of a cross-tenant data leak.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33445
GHSA-w637-mwv9-mchj