Description
In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access.




We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.
Published: 2026-03-02
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Patch Now
AI Analysis

Impact

A flaw in the NAC administration interface of ExtremeCloud IQ – Site Engine enables an authenticated administrator to receive HTTP responses containing fully resolved credential values, despite the UI showing masked entries. The attacker can thus recover stored secrets that are intended to be protected. This constitutes a direct disclosure of sensitive authentication data, potentially allowing privilege escalation within the network visibility and control plane.

Affected Systems

Extreme Networks’ ExtremeCloud IQ – Site Engine, versions prior to 26.2.10. The vulnerability was fixed in 26.2.10 and later releases.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity. EPSS is less than 1%, suggesting low current exploitation probability, but the issue is not listed in CISA’s KEV. Because the exploit requires an authenticated NAC administrator, the attack is limited to privileged users. Nonetheless, compromised credentials could lead to broad lateral movement or control over network devices. Organizations should treat this as a moderate risk that warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 14:33 UTC.

Remediation

Vendor Solution

Fixed in 26.2.10 or later.

OpenCVE Recommended Actions

  • Apply the vendor-published update to version 26.2.10 or later.
  • Apply least‑privilege controls to NAC administrators, limiting their ability to access privileged endpoints.
  • Configure the application or web‑application firewall to strip sensitive values from all HTTP responses sent to administrators.

Generated by OpenCVE AI on April 16, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Extremenetworks
Extremenetworks extremecloud Iq - Site Engine
Vendors & Products Extremenetworks
Extremenetworks extremecloud Iq - Site Engine

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure. In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.

Mon, 02 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.
Title XIQ‑SE NAC Admin Credential Exposure via HTTP Response
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Extremenetworks Extremecloud Iq - Site Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: ExtremeNetworks

Published:

Updated: 2026-03-02T19:17:37.551Z

Reserved: 2026-01-07T20:12:47.064Z

Link: CVE-2026-0689

cve-icon Vulnrichment

Updated: 2026-03-02T19:17:33.383Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-02T16:16:23.653

Modified: 2026-03-02T20:29:29.330

Link: CVE-2026-0689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses