CVE-2026-9831
Race Condition in Extreme Platform ONE IAM Gateway API Key Authentication
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: ExtremeNetworks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| extreme_networks | extreme_platform_one | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-488 | The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path. Under specific high-concurrency traffic conditions, it can intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data intended for another tenant. This issue affects ExtremeCloud IQ/XIQ API endpoints and has been validated against both XIQ/XAPI and Extreme Platform ONE/Common Services API paths. Notably, XIQ-native tokens and standard OAuth/Bearer JWT authentication methods are not affected.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized data exposure, where a request authenticated with a valid API key might receive response data belonging to a different tenant. This means sensitive information could be leaked between tenants, potentially compromising confidentiality. However, the vulnerability does not affect data integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves a race condition that could intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data intended for another tenant. This could lead to unauthorized data exposure between tenants.
Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or sensitive data.
However, the provided information does not explicitly state the nature of the data exposed or the specific compliance implications.