CVE-2026-20114

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software (affected versions not specified)

Description A flaw exists in the Lobby Ambassador web-based management API of Cisco IOS XE Software that could allow an authenticated, remote attacker to gain elevated privileges and access management APIs normally unavailable to Lobby Ambassador users. This is due to insufficient validation of parameters received by an API endpoint. An attacker can exploit this by authenticating as a Lobby Ambassador user and sending a crafted HTTP request to a vulnerable device. Successful exploitation could allow the attacker to create a new user with privilege level 1 access to the web-based management API, enabling access to the device with elevated credentials. The vulnerable API endpoint receives HTTP requests with insufficiently validated parameters.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.