Description
A vulnerability in Cisco Catalyst Center could allow an unauthenticated, remote attacker to read arbitrary files from a restricted container. 

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read arbitrary files from a restricted container of the affected device.
Published: 2026-07-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Cisco Catalyst Center permits an unauthenticated attacker to send a crafted HTTP request that bypasses input validation. The vulnerability allows reading of arbitrary files from a restricted container, exposing confidential data. The weakness is a form of path traversal, indexed as CWE-22.

Affected Systems

The product affected is Cisco Catalyst Center. No specific product version information is listed in the CVE data, so all releases of the platform are considered potentially impacted until further vendor guidance is available.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of less than 1% indicates a low probability of exploitation. It is not listed in CISA’s KEV catalog. The attack vector is an unauthenticated remote HTTP request, which means an external attacker with network access to the device could exploit the flaw by sending a specially crafted request to the web interface.

Generated by OpenCVE AI on July 2, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cisco Catalyst Center to the latest version that includes the vendor’s fix.
  • Configure network segmentation and firewall rules to limit management access to trusted networks only, reducing the likelihood of an attacker reaching the HTTP interface.
  • Implement additional access control so that only authenticated users can access file paths exposed by the Catalyst Center’s APIs, thus mitigating the path traversal flaw.

Generated by OpenCVE AI on July 2, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in Cisco Catalyst Center could allow an unauthenticated, remote attacker to read arbitrary files from a restricted container.&nbsp; This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read arbitrary files from a restricted container of the affected device.
Title Cisco Catalyst Center Arbitrary File Read Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-07-01T17:25:09.294Z

Reserved: 2025-10-08T11:59:15.395Z

Link: CVE-2026-20191

cve-icon Vulnrichment

Updated: 2026-07-01T17:21:08.775Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T19:00:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')