SA-2026-048 - ExtremeCloud IQ Cross-Tenant Data Ex... - Extreme Networks

Summary

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE/IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.

Extreme Networks thanks Sebastian Koller of Iteas IT Services GmbH for the responsible disclosure of this issue.

Products not listed in the Impact Details section have not been evaluated. Furthermore, products that have exceeded any software maintenance time periods are also not evaluated and will not be published. Please consult End of Sale and End of Service Life - Extreme Networks for the EOL notices related to the product under question.

Products Potentially Affected

OS/Product	Exposure
Extreme Platform ONE	Yes

Repair recommendations

Extreme Platform ONE:
- Fixed in 25.10.0-104 or later.

Please see the full Security Advisory article here for more details and future updates.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Extreme Networks

SA-2026-048 - ExtremeCloud IQ Cross-Tenant Data Exposure via Extreme Platform One Authentication Rac

SA-2023-047 - Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues (Leaking fr

SA-2023-107 - libcurl cookie injection with none file (CVE-2023-38546)

SA-2023-106 - SOCKS5 heap buffer overflow (CVE-2023-38545)