CVE-2026-20193

Vulnerability

Overview

CVE-2026-20193 is a vulnerability in the RADIUS Policy API endpoints of Cisco Identity Services Engine (ISE). The root cause is improper role-based access control (RBAC) permissions on these endpoints, which allows an authenticated, remote attacker with read-only Administrator privileges to bypass the intended access restrictions. By directly calling an affected API endpoint instead of using the web-based management interface, the attacker can gain unauthorized read access to sensitive RADIUS Policy details that are normally restricted for their role [1].

Exploitation

To exploit this vulnerability, an attacker must already have authenticated access to the Cisco ISE device with read-only Administrator privileges. The attack is performed remotely by bypassing the web-based management interface and directly invoking the vulnerable RADIUS Policy API endpoint. No additional authentication or privileges are required beyond the initial read-only admin role. The attack is remote and does not require any user interaction [1].

Impact

A successful exploit allows the attacker to gain unauthorized read access to sensitive RADIUS Policy details. This could include configuration information that the attacker's role should not have access to, potentially leading to further information gathering or aiding in subsequent attacks. The CVSS v3 base score is 4.3 (Medium), reflecting the limited impact due to the requirement for authenticated access and the read-only nature of the information disclosure [1].

Mitigation

Cisco has released software updates that address this vulnerability. There are no workarounds available. Users are advised to upgrade to a fixed software release as indicated in the Cisco Security Advisory. The vulnerability affects Cisco ISE regardless of device configuration, but does not affect Cisco ISE Passive Identity Connector (ISE-PIC) [1].