CVE-2026-20193
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
A vulnerability in the RADIUS Policy API endpoints of Cisco ISE allows an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information. This is due to improper role-based access control (RBAC) permissions on these API endpoints.
Risk Assessment
The organization risks exposure of sensitive RADIUS Policy details, which could be leveraged for further attacks or network compromise. The attacker can bypass the web-based management interface and directly call the vulnerable endpoint.
Recommendation
Apply the Cisco ISE update containing the fix immediately and review RBAC permissions for read-only administrator accounts.
Original NVD description (English source)
A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role.

