CVE-2026-20195 PUBLISHED

Cisco Identity Services Engine Observable Response Discrepancy Vulnerability

Assigner: cisco
Reserved: 08.10.2025 Published: 06.05.2026 Updated: 06.05.2026

A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device.

This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Product Status

Vendor Cisco
Product Cisco Identity Services Engine Software
Versions Default: unknown
  • Version 3.3.0 is affected
  • Version 3.3 Patch 2 is affected
  • Version 3.3 Patch 1 is affected
  • Version 3.3 Patch 3 is affected
  • Version 3.4.0 is affected
  • Version 3.3 Patch 4 is affected
  • Version 3.4 Patch 1 is affected
  • Version 3.3 Patch 5 is affected
  • Version 3.3 Patch 6 is affected
  • Version 3.4 Patch 2 is affected
  • Version 3.3 Patch 7 is affected
  • Version 3.4 Patch 3 is affected
  • Version 3.5.0 is affected
  • Version 3.4 Patch 4 is affected
  • Version 3.3 Patch 8 is affected
  • Version 3.5 Patch 1 is affected
  • Version 3.3 Patch 9 is affected
  • Version 3.4 Patch 5 is affected
  • Version 3.5 Patch 3 is affected
  • Version 3.5 Patch 2 is affected
  • Version 3.3 Patch 10 is affected

Exploits

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

References

Problem Types

  • Observable Response Discrepancy cwe