Cisco DNA Center Information Disclosure Vulnerability
Description
A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco DNA Center API endpoints have improper access controls, allowing authenticated attackers to obtain sensitive information about higher-privileged users.
Vulnerability
An information disclosure vulnerability exists in the API endpoints of Cisco DNA Center, versions 2.2.2 and earlier, and 2.2.3. The vulnerability is due to improper access controls on specific API endpoints [1]. An attacker must have valid device credentials but can enumerate user information that should be restricted. Affected releases are Cisco DNA Center 2.2.2 and earlier, and 2.2.3 [1].
Exploitation
An authenticated, remote attacker with valid device credentials can exploit this vulnerability by sending a crafted API request to an affected Cisco DNA Center application [1]. No additional user interaction is required beyond the initial authentication. The attacker leverages the improper access controls to bypass intended authorization checks.
Impact
Successful exploitation allows the attacker to gain sensitive information about other users who are configured with higher privileges on the application [1]. This could include usernames, roles, or other attributes that facilitate further targeted attacks or privilege escalation within the Cisco DNA Center environment.
Mitigation
Cisco has released fixed versions: Cisco DNA Center 2.2.2.5 (for the 2.2.2 train) and 2.2.3.3 (for the 2.2.3 train) [1]. Customers should upgrade to the appropriate fixed release. No workarounds are documented in the advisory [1]. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cisco/Cisco Digital Network Architecture Center (DNA Center)v5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncSmitrevendor-advisoryx_refsource_CISCO
News mentions
0No linked articles in our index yet.