CVE-2026-20195
Information Disclosure in Cisco Identity Services Engine
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | identity_management_api | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in an identity management API endpoint of Cisco ISE. It allows an unauthenticated, remote attacker to enumerate valid user accounts on the affected device by sending specially crafted requests to the API endpoint and analyzing the different error messages returned.
Because the API responds differently depending on whether a username is valid or not, an attacker can compile a list of valid usernames by observing these responses.
How can this vulnerability impact me? :
The vulnerability allows an attacker to discover valid usernames on the system without authentication. This information can be used as a first step in further attacks such as brute force password attempts or social engineering.
While the vulnerability does not directly allow data modification or denial of service, the exposure of valid user accounts can weaken the overall security posture of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted requests to the affected Cisco ISE identity management API endpoint and analyzing the error messages returned. Differentiated responses indicate whether a username is valid or not.
Specific commands are not provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The provided information does not include specific mitigation steps for this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated, remote attacker to enumerate valid user accounts by exploiting error messages from an identity management API endpoint. Such unauthorized access to user account information could potentially lead to privacy violations or unauthorized data exposure.
Exposure of valid usernames may increase the risk of targeted attacks, which could impact compliance with standards and regulations that require protection of personal data and user credentials, such as GDPR and HIPAA.
However, the provided information does not explicitly describe the direct impact on compliance with these regulations.