CVE-2026-20041
Received Received - Intake
SSRF Vulnerability in Cisco Nexus Dashboard Enables Remote Exploitation

Publication date: 2026-04-01

Last updated on: 2026-04-01

Assigner: Cisco Systems, Inc.

Description
A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by persuading an authenticated user of the device management interface to click a crafted link. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device to an attacker-controlled server. The attacker could then execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20041
EUVD
EUVD-2026-17933
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
cisco nexus_dashboard *
cisco nexus_dashboard_insights *
cisco nexus_dashboard_insights to 6.5 (exc)
cisco nexus_dashboard 4.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to perform unauthorized network requests from the affected device, which may lead to execution of arbitrary scripts or unauthorized access to sensitive information within the device management interface.

The impact includes potential compromise of confidentiality and integrity of information accessible through the interface, although availability is not affected.

Because the attack requires user interaction (clicking a crafted link), the risk depends on user behavior, but the attacker does not need any privileges on the device.

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability in the available information.

Mitigation Strategies

No workarounds are available for this vulnerability. Cisco strongly recommends upgrading to fixed software releases to fully remediate the issue.

  • For Cisco Nexus Dashboard Insights, migrate from versions 6.5 and earlier to a fixed Nexus Dashboard release.
  • For Cisco Nexus Dashboard, upgrade from versions 3.2 and earlier to version 4.2 or later, which are not vulnerable.

Ensure compatibility with your hardware and software configurations before upgrading, and seek assistance from Cisco Technical Assistance Center (TAC) if needed.

Executive Summary

CVE-2026-20041 is a Server-Side Request Forgery (SSRF) vulnerability affecting Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights. It occurs due to improper input validation of specific HTTP requests.

An unauthenticated remote attacker can exploit this vulnerability by convincing an authenticated user of the device management interface to click a specially crafted link.

If successfully exploited, the attacker can send arbitrary network requests originating from the affected device to an attacker-controlled server, potentially executing arbitrary script code within the interface context or accessing sensitive browser-based information.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary script code or access sensitive browser-based information by exploiting a server-side request forgery (SSRF) flaw in Cisco Nexus Dashboard and Nexus Dashboard Insights.

Such unauthorized access to sensitive information and potential compromise of system integrity could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly detail the direct impact on compliance with these standards or any specific regulatory implications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart