Extreme Platform One
Monthly
Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.
Cross-tenant data exposure in Extreme Platform ONE's IAM Gateway API-key authentication path allows an authenticated API-key holder to intermittently receive response data belonging to a different tenant under high-concurrency conditions. Affected endpoints include both ExtremeCloud IQ (XIQ/XAPI) and Extreme Platform ONE Common Services API paths; XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly confirmed unaffected. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the Changed scope (S:C) in the CVSS vector confirms that successful exploitation crosses tenant isolation boundaries, elevating the real-world severity beyond the 6.3 base score for multi-tenant deployments.