CVE-2026-0689
MEDIUM EPSS 20.2%
Published Mar 2, 20263mo ago · Modified Jun 5, 20263w ago
6.0 CVSS 4.0
Published Mar 2, 2026 3mo ago
Last Modified Jun 5, 2026 3w ago
Description
In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
20.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-522
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| extremenetworks | extremecloud_iq_site_engine | * | <26.2.10 |
References 1
- extreme-networks.my.site.com https://extreme-networks.my.site.com/ExtrArticleDetail?an=000134325
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.