CVE-2026-20029: Cisco ISE XML Vulnerability Leading to Sensitive File Disclosure

CyberDefender 4 mins0

CVE-2026-20029 is a security flaw in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC).
It’s classified as an XML External Entity (XXE) information disclosure vulnerability — meaning that if someone can supply specially crafted XML data, the system might end up revealing sensitive files on the server that shouldn’t be exposed.

The vulnerability exists because the web-based management interface of these products doesn’t properly validate XML input before processing it. An attacker must already have administrative credentials to trigger this behavior, so it isn’t a remote code execution you can pull off from outside without any access, but it does let someone with those credentials read arbitrary files on the system that are normally off-limits.

Severity

  • CVSS v3.1 Score: 4.9 (Medium)
    This reflects that while exploitation requires high privileges, the impact can be significant because of sensitive data exposure.

Versions Affected & Fixed

Cisco has published fixes for the vulnerability in specific releases of ISE and ISE-PIC. If you’re running one of the vulnerable versions below, you should plan to update as soon as possible:

Vulnerable Versions:

  • Releases earlier than 3.2 (unpatched) — no safe rollback; must update
  • Cisco ISE / ISE-PIC 3.2 — vulnerable until Patch 8
  • Cisco ISE / ISE-PIC 3.3 — vulnerable until Patch 8
  • Cisco ISE / ISE-PIC 3.4 — vulnerable until Patch 4

Not Vulnerable:

  • Cisco ISE / ISE-PIC 3.5 and later — these versions are not affected by this issue.

There are no viable workarounds for this vulnerability. Cisco strongly recommends installing the fixed releases because leaving systems unpatched while public exploit code is circulating increases the risk of exposure.

Who Can Exploit It?

  • Must already have valid administrative access to the ISE/ISE-PIC interface.
  • A remote attacker with those creds could upload malicious XML and read files outside the normal scope.

This isn’t a flaw that lets someone hack your system from the outside on its own — but if an insider or attacker already has admin access, they could leverage this to escalate what they can see on the system.

What Should You Do?

  1. Check your ISE / ISE-PIC version.
  2. Apply the Cisco patches or upgrade to a non-vulnerable version (3.5 or later).
  3. Enforce strong administrative access controls — because admin access abuse is a prerequisite for exploiting this flaw.
  4. Monitor for misuse or unusual file access patterns in your logs.

CyberDefender