CVE-2026-9831
Description
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Extreme Platform ONE IAM Gateway API-key authentication can cause cross-tenant data exposure under high concurrency.
Vulnerability
A race condition exists in the shared Extreme Platform ONE IAM Gateway API-key authentication path. Under high-concurrency traffic conditions, requests authenticated with an Extreme Platform ONE/IAM-issued API key could intermittently receive response data for another tenant. Affected versions include Extreme Platform ONE before 25.10.0-104. XIQ-native tokens and standard OAuth/Bearer JWT authentication are not affected. [1]
Exploitation
An attacker needs a valid API key issued by Extreme Platform ONE/IAM and must send requests during high-concurrency conditions. The race window occurs due to shared authentication state, causing intermittent cross-tenant data leakage. No additional authentication or user interaction beyond API key possession is required. [1]
Impact
Successful exploitation could result in unauthorized disclosure of another tenant's response data, leading to information disclosure. The attacker gains access to data belonging to other tenants, potentially exposing sensitive information. No code execution or data modification is reported. [1]
Mitigation
Extreme Networks has released a fix in Extreme Platform ONE version 25.10.0-104 or later. Users should upgrade to this version or later. No workaround is mentioned. Users of affected products should consult the security advisory for full details. [1]
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.