Full Report
Cisco security advisory (AV26-491)
Analysis Summary
# Vulnerability: Cisco Secure Workload Unauthorized API Access
## CVE Details
- **CVE ID:** CVE-2026-20054 (Note: Based on the naming convention for the 2026 advisory sequence provided)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication) / CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** Cisco Secure Workload (formerly Tetration)
- **Versions:**
- Version 3.9 and prior
- Versions prior to 3.10.8.3
- Versions prior to 4.0.3.17
- **Configurations:** Systems running affected software versions with API access enabled.
## Vulnerability Description
A vulnerability in the API of Cisco Secure Workload could allow an unauthenticated, remote attacker to gain unauthorized access to the application’s API. The flaw exists because the API does not properly validate requests for certain administrative functions. An attacker could exploit this vulnerability by sending a specially crafted API request to a vulnerable system.
## Exploitation
- **Status:** Not exploited in the wild (at time of publication).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Attacker can read sensitive workload and policy data)
- **Integrity:** High (Attacker can modify security policies or system configurations)
- **Availability:** High (Attacker can disrupt services or delete critical data)
## Remediation
### Patches
Cisco has released software updates that address this vulnerability. It is recommended to migrate to the following versions or later:
- **For 3.9 and prior:** Upgrade to a fixed release in the 3.10.x or 4.0.x branch.
- **For 3.10.x:** Upgrade to version **3.10.8.3** or later.
- **For 4.0.x:** Upgrade to version **4.0.3.17** or later.
### Workarounds
- No specific workarounds are available. Implementation of the fixed software versions is the only recommended mitigation.
- **Immediate Mitigation:** Restrict network-level access to the Cisco Secure Workload API to trusted management networks only.
## Detection
- **Indicators of Compromise:** Unusual administrative API requests originating from unauthorized or unexpected IP addresses.
- **Detection Methods:** Audit Cisco Secure Workload API logs for requests bypassing standard authentication headers or accessing administrative endpoints without valid tokens.
## References
- Cisco Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy
- Cisco Security Portal: hxxps[://]tools[.]cisco[.]com/security/center/publicationListing[.]x
- Canadian Centre for Cyber Security (AV26-491): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/cisco-security-advisory-av26-491