Skip to main content

Extreme Platform One

1 CVEs product

Monthly

CVE-2026-9831 MEDIUM PATCH This Month

Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.

Information Disclosure Race Condition Extreme Platform One
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.

Information Disclosure Race Condition Extreme Platform One
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy