CVE-2026-20223
published 2026-05-20CVE-2026-20223: A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site…
PriorityP274critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.90%
55.0th percentile
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.
This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.
Affected
101 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
| cisco | cisco_secure_workload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit vector is a crafted API request sent to an internal REST API endpoint of Cisco Secure Workload; monitor for unauthenticated or anomalous requests to internal REST API endpoints, especially those resulting in Site Admin-level actions or cross-tenant configuration changes. ↗
- →Alert on any unauthenticated access or privilege escalation to Site Admin role via REST API calls in Cisco Secure Workload (both SaaS and on-prem deployments), particularly cross-tenant configuration changes. ↗
- →The vulnerability exists regardless of device configuration; detection should not rely on specific configuration states — all Cisco Secure Workload deployments on SaaS and on-prem are in scope. ↗
- ·Cisco Secure Workload Release 3.9 and earlier are end-of-fix; operators must migrate to a fixed release — patching in-place is not available for these versions. ↗
- ·Fixed version for Release 3.10 branch is 3.10.8.3; deployments running any earlier 3.10.x build remain vulnerable. ↗
- ·Fixed version for Release 4.0 branch is 4.0.3.17; deployments running any earlier 4.0.x build remain vulnerable. ↗
- ·There are no workarounds available for this vulnerability; patching is the only remediation path. ↗
- ·Cloud-based (SaaS) deployments of Cisco Secure Workload have already been patched by Cisco; no customer action is required for SaaS instances. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Cisco Secure Workload up to 4.0.3.13 REST API missing authentication (cisco-sa-csw-pnbsa-g8WEnuy)
vuldb·2026-05-20·CVSS 10.0
CVE-2026-20223 [CRITICAL] Cisco Secure Workload up to 4.0.3.13 REST API missing authentication (cisco-sa-csw-pnbsa-g8WEnuy)
A vulnerability was found in Cisco Secure Workload. It has been declared as critical. Affected is an unknown function of the component REST API. The manipulation results in missing authentication.
This vulnerability is reported as CVE-2026-20223. The attack can be launched remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
GHSA-p3hw-qj46-c684: A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site
ghsa_unreviewed·2026-05-20
CVE-2026-20223 [CRITICAL] CWE-306 GHSA-p3hw-qj46-c684: A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.
This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Hackernews
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
blogs_hackernews·2026-05-22·CVSS 10.0
CVE-2026-20223 [CRITICAL] Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data.
Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when accessing REST API endpoints.
"An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint," Cisco said . "A successful exploit could allow the attacker to read sensitive information and make configuration
Bleepingcomputer
Max severity Cisco Secure Workload flaw gives Site Admin privileges
blogs_bleepingcomputer·2026-05-21·CVSS 10.0
CVE-2026-20223 [CRITICAL] Max severity Cisco Secure Workload flaw gives Site Admin privileges
## Max severity Cisco Secure Workload flaw gives Site Admin privileges
## Sergiu Gatlan
Cisco has released security updates to address a maximum-severity Secure Workload vulnerability that allows attackers to gain Site Admin privileges.
Formerly known as Cisco Tetration, Cisco Secure Workload helps admins reduce their network's attack surface through zero trust microsegmentation and stop lateral movement to keep business applications safe.
Tracked as CVE-2026-20223 , the security flaw was found in Secure Workload's internal REST APIs, and it enables unauthenticated attackers to access resources with the privileges of the Site Admin role.
"This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerabil
2026-05-20
Published