CVE-2026-20193 Overview
CVE-2026-20193 is an authorization vulnerability in the RADIUS Policy API endpoints of Cisco Identity Services Engine (ISE). The flaw stems from improper role-based access control (RBAC) enforcement, allowing an authenticated remote attacker holding read-only Administrator credentials to retrieve sensitive RADIUS Policy data restricted to higher-privileged roles. Exploitation requires bypassing the web-based management interface and invoking the affected API endpoints directly. The vulnerability impacts confidentiality only and does not affect integrity or availability of the device.
Critical Impact
An authenticated attacker with read-only Administrator privileges can access RADIUS Policy configuration details outside their authorized role, exposing network access policy data.
Affected Products
- Cisco Identity Services Engine (ISE)
- Cisco ISE RADIUS Policy API endpoints
- See the Cisco Security Advisory for fixed release versions
Discovery Timeline
- 2026-05-06 - CVE-2026-20193 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-20193
Vulnerability Analysis
The vulnerability resides in the RADIUS Policy API endpoints of Cisco ISE. These endpoints fail to enforce the same authorization checks applied through the web-based management interface. A read-only Administrator possesses valid credentials but should not see policy configuration details restricted to elevated roles. By calling the API directly, the attacker bypasses interface-layer controls and retrieves data the backend should reject.
The weakness maps to [CWE-862] Missing Authorization. The API trusts session authentication without re-validating that the authenticated role is permitted to read the requested RADIUS Policy resource. This is a server-side authorization gap, not a client-side filtering issue.
Exploitation does not produce code execution, configuration changes, or service disruption. The impact is limited to unauthorized read access to RADIUS Policy details, which may include authentication rules, authorization profiles, and conditions used to govern network access decisions.
Root Cause
The root cause is incomplete RBAC permission checks on specific RADIUS Policy API endpoints. The endpoints validate authentication but do not verify that the caller's role grants read access to the targeted policy object.
Attack Vector
The attacker must first obtain valid read-only Administrator credentials through legitimate provisioning, credential theft, or insider access. The attacker then issues HTTP requests to the affected RADIUS Policy API endpoints, bypassing the web UI workflow. The server returns policy data without enforcing the role restriction. No verified exploit code or public proof-of-concept is currently available.
Detection Methods for CVE-2026-20193
Indicators of Compromise
- API requests to RADIUS Policy endpoints originating from accounts assigned read-only Administrator roles
- Direct API calls to ISE management endpoints that bypass typical web UI navigation patterns
- Unusual volume of GET requests against RADIUS Policy resources from a single administrative session
Detection Strategies
- Review Cisco ISE administrative audit logs for API calls made by read-only accounts targeting RADIUS Policy endpoints
- Correlate authentication events with API access patterns to identify role-to-endpoint mismatches
- Baseline normal API consumption per administrative role and alert on deviations
Monitoring Recommendations
- Forward Cisco ISE syslog and audit data to a centralized SIEM for role-based access analytics
- Enable verbose API access logging on ISE to capture endpoint, caller identity, and assigned role
- Monitor for read-only accounts performing reconnaissance against management APIs outside the web console
How to Mitigate CVE-2026-20193
Immediate Actions Required
- Apply the fixed Cisco ISE software release listed in the Cisco Security Advisory
- Audit all accounts assigned the read-only Administrator role and remove unnecessary access
- Rotate credentials for any read-only Administrator account suspected of compromise
Patch Information
Cisco has released fixed software addressing this vulnerability. Refer to the Cisco Security Advisory cisco-sa-ise-unauth-bypass-uxjRXGpb for the list of fixed releases and upgrade guidance. No officially supported workarounds are documented by the vendor.
Workarounds
- Restrict network access to the Cisco ISE management interface and APIs to trusted administrative subnets
- Enforce multi-factor authentication on all ISE administrative accounts to reduce credential-abuse risk
- Apply the principle of least privilege when issuing read-only Administrator roles
# Configuration example: restrict ISE management API access using an ACL
ip access-list extended ISE-MGMT-RESTRICT
permit tcp 10.10.0.0 0.0.0.255 host <ISE-MGMT-IP> eq 443
deny tcp any host <ISE-MGMT-IP> eq 443 log
permit ip any any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
