SB2026040177 - Improper authorization in Cisco Evolved Programmable Network Manager
Published: April 1, 2026
Security Bulletin ID
SB2026040177
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing authorization (CVE-ID: CVE-2026-20155)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to missing authorization checks in the REST API endpoint of an affected device. A remote authenticated user can send a specially crafted HTTP request and view session information of active Cisco EPNM users, including users with administrative privileges. Extracted session information can be used to login under administrative privileges and compromise the system.
Remediation
Install update from vendor's website.