Insecure Direct Object Reference in Cisco Slido Social Profile Access
CVE-2026-20219

5.4MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Webex Meetings; Cisco Slido
Vendor: CVE Published:; 6 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-20219?

A vulnerability in Cisco Slido's REST API allowed authenticated, remote attackers to access the social profile data of users or manipulate quiz and poll results. The issue arose due to insecure direct object reference, where attackers could exploit this by sending a specially crafted request to the vulnerable API endpoint. Cisco has released a fix for this vulnerability, ensuring that no customer action is needed. Users are encouraged to remain vigilant to protect their data and interactions within the platform.

Affected Version(s)

Cisco Slido

Cisco Webex Meetings 39.10

Cisco Webex Meetings 39.11

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 6, 2026
Vulnerability published
May 6, 2026
Vulnerability Reserved
Oct 8, 2025

CVE-2026-20219 Data

JSON