CVE-2026-9831
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Extreme Platform ONE IAM Gateway API Key Authentication

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: ExtremeNetworks

Description
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-9831
EUVD
EUVD-2026-33445
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
extreme_networks extreme_platform_one *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-488 The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path. Under specific high-concurrency traffic conditions, it can intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data intended for another tenant. This issue affects ExtremeCloud IQ/XIQ API endpoints and has been validated against both XIQ/XAPI and Extreme Platform ONE/Common Services API paths. Notably, XIQ-native tokens and standard OAuth/Bearer JWT authentication methods are not affected.

Impact Analysis

The vulnerability can lead to unauthorized data exposure, where a request authenticated with a valid API key might receive response data belonging to a different tenant. This means sensitive information could be leaked between tenants, potentially compromising confidentiality. However, the vulnerability does not affect data integrity or availability.

Compliance Impact

This vulnerability involves a race condition that could intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data intended for another tenant. This could lead to unauthorized data exposure between tenants.

Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or sensitive data.

However, the provided information does not explicitly state the nature of the data exposed or the specific compliance implications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9831. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart