cbcvebase.
CVE-2026-20223
published 2026-05-20

CVE-2026-20223: A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site…

PriorityP274critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.90%
55.0th percentile
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.

Affected

101 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload
ciscocisco_secure_workload

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is a crafted API request sent to an internal REST API endpoint of Cisco Secure Workload; monitor for unauthenticated or anomalous requests to internal REST API endpoints, especially those resulting in Site Admin-level actions or cross-tenant configuration changes.
  • Alert on any unauthenticated access or privilege escalation to Site Admin role via REST API calls in Cisco Secure Workload (both SaaS and on-prem deployments), particularly cross-tenant configuration changes.
  • The vulnerability exists regardless of device configuration; detection should not rely on specific configuration states — all Cisco Secure Workload deployments on SaaS and on-prem are in scope.
  • ·Cisco Secure Workload Release 3.9 and earlier are end-of-fix; operators must migrate to a fixed release — patching in-place is not available for these versions.
  • ·Fixed version for Release 3.10 branch is 3.10.8.3; deployments running any earlier 3.10.x build remain vulnerable.
  • ·Fixed version for Release 4.0 branch is 4.0.3.17; deployments running any earlier 4.0.x build remain vulnerable.
  • ·There are no workarounds available for this vulnerability; patching is the only remediation path.
  • ·Cloud-based (SaaS) deployments of Cisco Secure Workload have already been patched by Cisco; no customer action is required for SaaS instances.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.