CVE-2026-9831— ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Extreme Networks | Extreme Platform ONE | < 25.10.0-104 | affected |
25.10.0-104 | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9831
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition
Source: NVD (National Vulnerability Database)
Vulnerability Description
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用共享资源的并发执行不恰当同步问题(竞争条件)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Extreme Networks | Extreme Platform ONE | 0 ~ 25.10.0-104 | - |
II. Public POCs for CVE-2026-9831
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9831
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9831 (1)
IV. Related Vulnerabilities
Same vendor: Extreme Networks
- CVE-2026-0689
XIQ‑SE NAC Admin Credential Exposure via HTTP Response - CVE-2020-36907
Extreme Networks Aerohive HiveOS <=11.x 11.x Unauthenticated - CVE-2025-11192
Fabric Engine (VOSS) AutoSense Authentication Bypass - CVE-2025-8679
ExtremeGuest Essentials Captive Portal Unauthenticated Brute - CVE-2025-6235
ExtremeControl (NAC) 'onmouseover' XSS
Same weakness: CWE-362
V. Comments for CVE-2026-9831
No comments yet