CVE-2026-20114Improper Validation of Syntactic Correctness of Input in Cisco IOS XE Software

CWE-1286Improper Validation of Syntactic Correctness of Input4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 91.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedMar 25

Description

A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because parameters that are received by an API endpoint are not sufficiently validated. An attacker could exploit this vulnerability by authenticating as a Lobby Ambassador user and sending a crafted HTTP request to an

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

CVEListV5cisco/cisco_ios_xe_software176 versions+175

🔴Vulnerability Details

2
CVEList
CVE-2026-20114: A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate the2026-03-25
GHSA
GHSA-3855-fjjh-9xh2: A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate the2026-03-25

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Lobby Ambassador Privilege Escalation Vulnerability2026-03-25
CVE-2026-20114 — Cisco IOS XE Software vulnerability | cvebase