CVE-2026-0689
Received Received - Intake
Information Disclosure via NAC Interface in ExtremeCloud IQ – Site Engine

Publication date: 2026-03-02

Last updated on: 2026-03-02

Assigner: ExtremeNetworks

Description
In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-02
Generated
2026-05-07
AI Q&A
2026-03-02
EPSS Evaluated
2026-05-05
NVD
CVE-2026-0689
EUVD
EUVD-2026-9177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
extreme_networks extremecloud_iq_site_engine to 26.2.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-0689 is a vulnerability in ExtremeCloud IQ – Site Engine (XIQ-SE) versions before 26.2.10 that affects the Network Access Control (NAC) administration interface.

Although sensitive credential parameters appear masked or redacted in the user interface, the application actually returns the underlying credential values in HTTP responses.

This means that an authenticated NAC administrator can retrieve stored secrets that they are not supposed to access, exposing sensitive information beyond their intended permissions.


How can this vulnerability impact me? :

This vulnerability allows an authenticated NAC administrator to access sensitive credential information that should be masked and protected.

As a result, authorized administrators may recover stored secrets beyond their intended access level, potentially leading to unauthorized use or disclosure of sensitive credentials.

This could increase the risk of insider threats or misuse of privileged information within the network environment.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade ExtremeCloud IQ – Site Engine (XIQ-SE) to version 26.2.10 or later.

This update addresses the issue where authenticated NAC administrators could retrieve sensitive credential parameters from HTTP responses that were supposed to be masked.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart