Description
A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed.

This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results.
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The insecure direct object reference in Cisco Slido’s REST API allows an authenticated attacker to craft requests that reveal other participants’ social profile information or alter quiz and poll results, violating access control and confidentiality as defined by CWE‑639. When this flaw is exploited, an attacker can compromise user privacy and distort the integrity of interactive content.

Affected Systems

The vulnerability impacts Cisco Slido. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. No information is available regarding Cisco Webex Meetings, so the status of that product is unclear.

Risk and Exploitability

The CVSS score is 5.4, indicating medium severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote, authenticated client sending crafted requests to the vulnerable REST endpoint, restricted to users with valid credentials. Cisco has addressed the issue, so no further action is required.

Generated by OpenCVE AI on May 6, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Continue normal operations; no configuration changes are required at this time.
  • Apply standard network security controls, ensuring that only authenticated users can access the REST API endpoints.
  • Stay informed by reviewing Cisco’s security advisories for any future updates.

Generated by OpenCVE AI on May 6, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Insecure Direct Object Reference in Cisco Slido REST API Allowing Unauthorized User Data Access

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results.
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-05-06T19:09:39.992Z

Reserved: 2025-10-08T11:59:15.398Z

Link: CVE-2026-20219

cve-icon Vulnrichment

Updated: 2026-05-06T19:09:35.446Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T17:16:21.760

Modified: 2026-05-06T18:59:53.230

Link: CVE-2026-20219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T21:30:12Z

Weaknesses