CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Cisco Slido Insecure Direct Object Reference Vulnerability

mediumCVE-2026-20219
A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results. As mentioned, Cisco has addressed this vulnerability in the Slido service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-slido-idor-CpsFmKxN Security Impact Rating: Medium CVE: CVE-2026-20219

CSIRTS triage

What
A vulnerability in the REST API could allow an authenticated attacker to access the social profile data of other users.
Who is affected
Authenticated users of Cisco Slido are affected.
Urgency
Remediation is necessary as it could lead to unauthorized access to user data.
Action
No action is needed as Cisco has addressed this vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Cisco Slido

Get an email when a new Cisco Slido advisory drops — max one per day, one-click unsubscribe.

Details

Source
Cisco Security Advisories (INTL · vendor-psirt · site)
Severity
medium
Published
2026-05-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-slido-idor-CpsFmKxN?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Cisco%20Slido%20Insecure%20Direct%20Object%20Reference%20Vulnerability%26vs_k=1

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-20219coverage & exploitation statusNVD · CVE.org

More from Cisco Security Advisories