CVE-2026-20041
SSRF Vulnerability in Cisco Nexus Dashboard Enables Remote Exploitation
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | nexus_dashboard | * |
| cisco | nexus_dashboard_insights | * |
| cisco | nexus_dashboard_insights | to 6.5 (exc) |
| cisco | nexus_dashboard | 4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform unauthorized network requests from the affected device, which may lead to execution of arbitrary scripts or unauthorized access to sensitive information within the device management interface.
The impact includes potential compromise of confidentiality and integrity of information accessible through the interface, although availability is not affected.
Because the attack requires user interaction (clicking a crafted link), the risk depends on user behavior, but the attacker does not need any privileges on the device.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided for this vulnerability in the available information.
What immediate steps should I take to mitigate this vulnerability?
No workarounds are available for this vulnerability. Cisco strongly recommends upgrading to fixed software releases to fully remediate the issue.
- For Cisco Nexus Dashboard Insights, migrate from versions 6.5 and earlier to a fixed Nexus Dashboard release.
- For Cisco Nexus Dashboard, upgrade from versions 3.2 and earlier to version 4.2 or later, which are not vulnerable.
Ensure compatibility with your hardware and software configurations before upgrading, and seek assistance from Cisco Technical Assistance Center (TAC) if needed.
Can you explain this vulnerability to me?
CVE-2026-20041 is a Server-Side Request Forgery (SSRF) vulnerability affecting Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights. It occurs due to improper input validation of specific HTTP requests.
An unauthenticated remote attacker can exploit this vulnerability by convincing an authenticated user of the device management interface to click a specially crafted link.
If successfully exploited, the attacker can send arbitrary network requests originating from the affected device to an attacker-controlled server, potentially executing arbitrary script code within the interface context or accessing sensitive browser-based information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary script code or access sensitive browser-based information by exploiting a server-side request forgery (SSRF) flaw in Cisco Nexus Dashboard and Nexus Dashboard Insights.
Such unauthorized access to sensitive information and potential compromise of system integrity could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.
However, the provided information does not explicitly detail the direct impact on compliance with these standards or any specific regulatory implications.