Description
A race condition in the shared Extreme Platform
ONE IAM Gateway API-key authentication path could, under specific
high-concurrency traffic conditions, intermittently allow requests
authenticated with an Extreme Platform ONE /IAM-issued API key to receive
response data for another tenant. The issue was observed through ExtremeCloud
IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE
/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT
authentication were not affected.
Published: 2026-05-29
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the shared Extreme Platform ONE IAM Gateway API‑key authentication path allows requests authenticated with an Extreme Platform ONE /IAM‑issued API key to receive response data belonging to another tenant under specific high‑concurrency traffic conditions. The flaw is a classic thread‑safety issue (CWE‑362) and a resource contention race (CWE‑488) that can let an attacker temporarily access data it should not see. The vulnerability is limited to API‑key authentication only; XIQ‑native tokens and standard OAuth/Bearer JWT authentication remain unaffected.

Affected Systems

Licensing platform: Extreme Networks Extreme Platform ONE has been found vulnerable. The issue manifests in the ExtremeCloud IQ and XIQ API endpoints as well as the Common Services API paths used by Extreme Platform ONE. No specific affected version numbers were provided in the advisory, so any installation still using the default IAM Gateway API‑key method is potentially impacted.

Risk and Exploitability

The CVSS score of 6.3 places the vulnerability at moderate severity. Because the EPSS score is not available and the incident is not listed in CISA KEV, the exploitation likelihood appears low at present. However, the race condition requires high‑concurrency traffic to trigger and may be difficult to reproduce reliably, but once triggered it results in inadvertent data leakage across tenants. Administrators should consider the risk moderate and take proactive measures until a vendor patch is released.

Generated by OpenCVE AI on May 29, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or update to the latest stable release of Extreme Platform ONE when it becomes available.
  • Switch from API‑key authentication to XIQ‑native tokens or OAuth/JWT Bearer JWT authentication for tenant access.
  • Implement traffic shaping or rate limiting to mitigate high‑concurrency traffic conditions that trigger the race condition.

Generated by OpenCVE AI on May 29, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
Title ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition
Weaknesses CWE-362
CWE-488
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ExtremeNetworks

Published:

Updated: 2026-05-29T21:19:17.118Z

Reserved: 2026-05-28T12:21:45.520Z

Link: CVE-2026-9831

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T22:16:23.980

Modified: 2026-05-29T22:16:23.980

Link: CVE-2026-9831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T23:00:14Z

Weaknesses