Full Report
Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when accessing REST API endpoints. "An attacker could exploit this vulnerability if they are able to send
Analysis Summary
# Vulnerability: Cisco Secure Workload REST API Critical Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-20223
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Insufficient validation and authentication (specifically related to API endpoint access)
## Affected Systems
- **Products:** Cisco Secure Workload (Cluster Software)
- **Versions:**
- Release 3.9 and earlier
- Release 3.10 (versions prior to 3.10.8.3)
- Release 4.0 (versions prior to 4.0.3.17)
- **Configurations:** Impacts both SaaS and on-premise deployments regardless of device configuration.
## Vulnerability Description
A maximum-severity vulnerability exists in the REST API endpoints of Cisco Secure Workload. The flaw stems from insufficient validation and authentication checks. A remote, unauthenticated attacker can exploit this by sending a specially crafted API request to an affected endpoint. Due to the lack of proper tenant isolation in the vulnerable code, the attacker can gain the privileges of a "Site Admin," allowing them to read sensitive data and modify configurations across tenant boundaries.
## Exploitation
- **Status:** Not exploited in the wild (identified during internal security testing).
- **Complexity:** Low (implied by the CVSS 10.0 score and nature of the crafted request).
- **Attack Vector:** Network (Remote, unauthenticated).
## Impact
- **Confidentiality:** Total (Attacker can read sensitive information across all tenants).
- **Integrity:** Total (Attacker can make configuration changes with Site Admin privileges).
- **Availability:** High (Configuration changes can lead to service disruption or total loss of control).
## Remediation
### Patches
Cisco has released the following updates to address this vulnerability:
- **For Release 3.9 and earlier:** No fix; users must migrate to a supported fixed release.
- **For Release 3.10:** Update to **3.10.8.3** or later.
- **For Release 4.0:** Update to **4.0.3.17** or later.
### Workarounds
- No workarounds are available to mitigate this vulnerability. Immediate patching or migration is required.
## Detection
- **Indicators of Compromise:** Unusual API requests targeting REST endpoints; unauthorized configuration changes attributed to the "Site Admin" user; data egress patterns consistent with cross-tenant access.
- **Detection methods and tools:** Review Cisco Secure Workload audit logs for suspicious administrative actions.
## References
- **Vendor Advisory:** hxxps://sec.cloudapps.cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy
- **Original Report:** hxxps://thehackernews[.]com/2026/05/cisco-patches-cvss-100-secure-workload.html