Race Condition in Extreme Networks API Gateway Affecting Data Isolation
CVE-2026-9831

6.3MEDIUM

Key Information:

Vendor: Extreme Networks
Status: Extreme Platform One
Vendor: CVE Published:; 29 May 2026

🔔 Create Extreme Networks Vulnerability Alert

What is CVE-2026-9831?

A critical race condition vulnerability exists in the API key authentication process of the Extreme Platform ONE IAM Gateway. Under specific high-concurrency traffic conditions, this flaw may lead to the exposure of response data for one tenant to another. The issue has been detected in API endpoints of ExtremeCloud IQ/XIQ and has alarmingly shown that requests authenticated via IAM-issued API keys can return incorrect tenant data. Notably, XIQ-native tokens and OAuth/Bearer JWT authentication methods are not impacted by this vulnerability.

Affected Version(s)

Extreme Platform ONE SaaS (Cloud Hosted) 0 < 25.10.0-104

Extreme Platform ONE SaaS (Cloud Hosted) 25.10.0-104

References

https://community.extremenetworks.com/t5/security-advisor...

vendor-advisory

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 28, 2026

Credit

Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible discovery and disclosure of this vulnerability.

Sebastian Koller of Iteas IT Services GmbH (Austria) for responsible coordination and providing detailed evidence supporting root cause identification.

CVE-2026-9831 Data

JSON