CVE-2026-20195
MEDIUMCisco Identity Services Engine Observable Response Discrepancy Vulnerability
Title source: cnaDescription
A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system.
References (1)
Core 1
Core References
cisco-sa-ise-unauth-bypass-uxjRXGpb
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-bypass-uxjRXGpb
Scores
CVSS v3
5.3
EPSS
0.0004
EPSS Percentile
11.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-204
Status
published
Products (21)
Cisco/Cisco Identity Services Engine Software
3.3 Patch 1
Cisco/Cisco Identity Services Engine Software
3.3 Patch 10
Cisco/Cisco Identity Services Engine Software
3.3 Patch 2
Cisco/Cisco Identity Services Engine Software
3.3 Patch 3
Cisco/Cisco Identity Services Engine Software
3.3 Patch 4
Cisco/Cisco Identity Services Engine Software
3.3 Patch 5
Cisco/Cisco Identity Services Engine Software
3.3 Patch 6
Cisco/Cisco Identity Services Engine Software
3.3 Patch 7
Cisco/Cisco Identity Services Engine Software
3.3 Patch 8
Cisco/Cisco Identity Services Engine Software
3.3 Patch 9
... and 11 more
Published
May 06, 2026
Tracked Since
May 06, 2026