cbcvebase.
CVE-2026-20184
published 2026-04-15

CVE-2026-20184: A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.52%
40.2th percentile
A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.

Affected

57 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings
ciscocisco_webex_meetings

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector involves connecting to a Webex SSO/Control Hub service endpoint and supplying a crafted (forged) token — monitor for anomalous or malformed SAML/SSO token submissions to Webex Control Hub endpoints
  • Root cause is improper certificate validation (CWE-295) in SSO/SAML integration with Control Hub — detection should focus on SAML assertions signed by unexpected or untrusted certificates/IdPs being accepted
  • Successful exploitation results in user impersonation within Webex Services — audit Webex access logs for logins from unexpected geographic locations or devices, especially for high-privilege accounts, correlated with SSO authentication events
  • Cisco internal Bug ID CSCwt37111 can be used to cross-reference vendor advisories and threat intelligence feeds for this specific vulnerability
  • ·Customer action is required for organizations using SSO integration: a new IdP SAML certificate must be uploaded to Control Hub, or SSO authentication may be disrupted or remain at risk
  • ·The server-side fix is cloud-delivered by Cisco; no software patch is required on-premises, but the SAML certificate upload to Control Hub is mandatory for SSO customers to complete remediation
  • ·Cisco PSIRT confirmed no evidence of exploitation in the wild at time of advisory publication

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_cisco3.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.