CVE-2026-0689
Analyzed Analyzed - Analysis Complete
Information Disclosure via NAC Interface in ExtremeCloud IQ – Site Engine

Publication date: 2026-03-02

Last updated on: 2026-06-05

Assigner: ExtremeNetworks

Description
In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0689
EUVD
EUVD-2026-9177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
extremenetworks extremecloud_iq_site_engine to 26.2.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0689 is a vulnerability in ExtremeCloud IQ – Site Engine (XIQ-SE) versions before 26.2.10 that affects the Network Access Control (NAC) administration interface.

Although sensitive credential parameters appear masked or redacted in the user interface, the application actually returns the underlying credential values in HTTP responses.

This means that an authenticated NAC administrator can retrieve stored secrets that they are not supposed to access, exposing sensitive information beyond their intended permissions.

Impact Analysis

This vulnerability allows an authenticated NAC administrator to access sensitive credential information that should be masked and protected.

As a result, authorized administrators may recover stored secrets beyond their intended access level, potentially leading to unauthorized use or disclosure of sensitive credentials.

This could increase the risk of insider threats or misuse of privileged information within the network environment.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade ExtremeCloud IQ – Site Engine (XIQ-SE) to version 26.2.10 or later.

This update addresses the issue where authenticated NAC administrators could retrieve sensitive credential parameters from HTTP responses that were supposed to be masked.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart