CVE-2026-20195 MEDIUM

CVE-2026-20195: Cisco Identity Services Engine Observable Response Discrepancy Vulnerability

Vendor Cisco
Product Cisco Identity Services Engine Software
Weakness CWE-204
Published May 6, 2026
Last update May 6, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 6, 2026 Record updated