CVE-2026-0689 MEDIUM

CVE-2026-0689: XIQ‑SE NAC Admin Credential Exposure via HTTP Response

Vendor Extreme Networks
Product ExtremeCloud IQ - Site Engine
Weakness CWE-522 · Insufficiently protected credentials
Published March 2, 2026
Last update March 2, 2026

CVSS base score

6.0/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

In ExtremeCloud IQ – Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses. Although credentials appear redacted in the user interface, the application returns the underlying credential values in the HTTP response, enabling an authorized administrator to recover stored secrets that may exceed their intended access. We would like to thank the Lockheed Martin Red Team for responsibly reporting this issue and working with us through coordinated disclosure.

Key dates

02Disclosure timeline

March 2, 2026 CVE published
March 2, 2026 Record updated