Primary

Context

Extreme Networks Platform One Cross-Tenant Data Exposure Vulnerability

Vulnerability

Patched

A race condition has been identified in the Extreme Platform One IAM Gateway API-key authentication process. Under specific high-concurrency traffic conditions, this vulnerability could intermittently allow requests authenticated with an Extreme Platform One/IAM-issued API key to access response data intended for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform One/Common Services API paths. Notably, XIQ-native tokens and standard OAuth/Bearer JWT authentication were not impacted.

Impact

Exploitation of this vulnerability could lead to unauthorized cross-tenant data exposure, allowing one tenant to access data belonging to another tenant.

Remediation

Users can upgrade to Extreme Platform One version 25.10.0-104 or later to address this vulnerability.

Added: May 29, 2026, 10:19 PM

Updated: May 29, 2026, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Extreme Networks Platform One Cross-Tenant Data Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Extreme Networks Extreme Platform ONE

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating