CVE-2026-9831: Extreme Platform ONE API-Key Race Condition Allows Cross-Tenant Data Leakage
A timing vulnerability in Extreme Platform ONE's identity and access management (IAM) gateway could occasionally allow an authenticated user to view data belonging to a different customer organization. The issue occurs only under specific high-traffic conditions where concurrent API requests overlap, and only affects API-key-based authentication—not Extreme's newer token or OAuth methods. An attacker would need valid API credentials to attempt this, and success is not guaranteed; the flaw is triggered by race conditions in how the gateway validates which tenant's data should be returned.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-362, CWE-488
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9831 is a race condition (CWE-362) in Extreme Platform ONE's IAM Gateway API-key authentication logic, combined with insufficient identity correlation controls (CWE-488). Under high-concurrency conditions, the gateway's request handling can fail to properly maintain tenant isolation when processing API-key-authenticated requests. An attacker with a valid API key from one tenant may intermittently receive response payloads intended for another tenant. The vulnerability was confirmed across ExtremeCloud IQ (XIQ) API endpoints, the XAPI implementation, and Extreme Platform ONE's Common Services API. Authentication mechanisms based on XIQ-native tokens or standard OAuth/Bearer JWT tokens are not affected, limiting exposure to API-key holders only.
Business impact
Multi-tenant SaaS deployments relying on Extreme Platform ONE face intermittent data leakage between customer accounts. A malicious insider or compromised API key could harvest sensitive configuration, network topology, or compliance-related metadata from other organizations. While the race condition is probabilistic and requires high concurrent traffic, production environments with active API consumption are at risk. Reputational damage, regulatory notification requirements (depending on jurisdiction and data sensitivity), and customer confidence erosion are realistic consequences. The attack requires no user interaction and no special privileges beyond a valid API key, though exploitation success is inconsistent.
Affected systems
Extreme Networks' Extreme Platform ONE IAM Gateway is affected, specifically the API-key authentication path. Impacted API endpoints include those exposed through ExtremeCloud IQ (XIQ), XIQ's XAPI layer, and Extreme Platform ONE's Common Services APIs. Organizations using API-key authentication for programmatic access to Extreme Platform ONE are at risk. XIQ-native tokens and standard OAuth/Bearer JWT authentication are explicitly not affected, so token-based integrations and SAML/OpenID Connect flows remain secure.
Exploitability
Exploitation requires a valid API key from one tenant and repeated requests designed to trigger concurrent processing overlaps. The race condition is not deterministic—success depends on precise timing during high-traffic periods, making consistent exploitation unreliable. No network-level access barrier exists (the vulnerability is remotely exploitable), but the attacker must be authenticated. The attack is feasible for insiders or holders of compromised credentials, but external, unauthenticated attackers cannot trigger it. CVSS 3.1 score of 6.3 (MEDIUM) reflects the requirement for authentication (PR:L), high complexity in achieving the race condition (AC:H), and the high confidentiality impact (C:H) balanced against lack of integrity or availability damage. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code is known.
Remediation
Extreme Networks must issue an update to Extreme Platform ONE that adds proper request-scoped tenant identification and synchronization controls to prevent cross-tenant response leakage under concurrent load. The fix should enforce tenant context binding before any data query or response assembly. Organizations should prioritize applying patches when available and, in the interim, consider rate-limiting or connection-pooling strategies to reduce high-concurrency scenarios that trigger the race condition. Audit logs should be reviewed for evidence of cross-tenant data access, especially if API keys have been exposed or if high traffic spikes have occurred.
Patch guidance
Verify the vendor advisory from Extreme Networks for the specific patched version addressing CVE-2026-9831 in Extreme Platform ONE. Apply the patch to all IAM Gateway instances in your deployment. After patching, conduct a brief functional test of API-key authentication and verify that multi-tenant isolation remains intact under normal load. If using a managed XIQ service, coordinate with Extreme to confirm when patches have been deployed to your tenant. Document the patch version and deployment timestamp for audit and compliance records.
Detection guidance
Monitor API authentication logs for unusual patterns: multiple API-key requests returning 2xx responses with data mismatches (e.g., different organization IDs in request vs. response), particularly during high concurrent traffic windows. Enable query logging on the IAM Gateway if available, and correlate response latency spikes with multi-tenant data access anomalies. Network detection is challenging without vendor-supplied signatures, but correlation between API key source, request timestamp, and tenant ID in responses can surface potential race condition exploitation. SIEM rules should flag cases where a single API key's requests receive responses tagged to multiple tenant organizations in a short timeframe.
Why prioritize this
Although CVSS severity is MEDIUM, the impact—confidential data leakage across customer boundaries in a multi-tenant SaaS platform—warrants prioritization for Extreme Platform ONE operators and customers. The race condition's probabilistic nature does not reduce the reputational and regulatory risk; any confirmed cross-tenant data exposure is a material breach. Patching is relatively low-risk (fixes authentication logic without API-breaking changes), so remediation should be scheduled promptly. Organizations with high API traffic, strict data governance requirements, or sensitive workloads in Extreme Platform ONE should patch first.
Risk score, explained
CVSS 3.1 score of 6.3 (MEDIUM) reflects: (1) Authentication requirement (PR:L) reduces attack surface to credential holders; (2) High Attack Complexity (AC:H) due to race condition timing dependency; (3) High Confidentiality impact (C:H) from cross-tenant data exposure; (4) Changed Scope (S:C) because impact affects other tenants; (5) No Integrity or Availability impact. The score does not account for the insider or compromised-credential scenarios, which may elevate perceived risk in practice. The probabilistic nature of the race condition and lack of KEV listing suggest it is not yet actively exploited in the wild, but this should not delay patching.
Frequently asked questions
Can I be exploited if I use OAuth or JWT bearer tokens instead of API keys?
No. The vulnerability is specific to API-key authentication in the IAM Gateway. If your integrations use XIQ-native tokens, standard OAuth, or Bearer JWT authentication, this race condition does not affect you. Review your integrations to confirm which authentication method each uses.
Does this vulnerability allow an attacker without any credentials to access data?
No. The attacker must possess a valid API key from at least one tenant. External, unauthenticated attackers cannot trigger this vulnerability. However, if an API key is compromised, the risk is elevated.
Why is the patch listed as MEDIUM severity if it could leak customer data?
CVSS 3.1 accounts for the race condition's unpredictable nature (high complexity), the authentication requirement, and the fact that integrity and availability are not impacted. However, the reputational and regulatory implications of cross-tenant data leakage are severe. Treat this as a high priority for remediation despite the MEDIUM CVSS score.
If I haven't seen signs of exploitation, do I still need to patch?
Yes. The race condition is difficult to reliably exploit and may leave minimal forensic traces. Absence of detected exploitation does not indicate absence of risk. Patch as soon as practical to prevent potential future exposure, especially if your API traffic is high or your data is sensitive.
This analysis is provided for informational and educational purposes to help security teams understand and remediate CVE-2026-9831. It does not constitute legal advice, warranty, or an endorsement of any vendor, product, or service. Patch version numbers, remediation timelines, and vendor advisory details should be verified directly with Extreme Networks. Organizations should conduct their own risk assessment based on their environment, data sensitivity, and threat model. SEC.co makes no guarantee of exploit availability, detection methods, or the completeness of this analysis. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46187MEDIUMLinux RSI Driver Use-After-Free Vulnerability (CVSS 4.7)
- CVE-2026-46272MEDIUMLinux CoreSight TMC-ETR Race Condition DoS
- CVE-2026-46416MEDIUMMicrosoft UFO WebSocket Handler Session Isolation Flaw
- CVE-2026-47741MEDIUMShopper Discount Over-Redemption Race Condition (MEDIUM)
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10565LOWRace Condition in Open5GS NGAP Handover Affects 5G Service Continuity
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2026-46157HIGHLinux Kernel ALSA PCM OSS Data Race Vulnerability