Critical Cisco Secure Workload API Flaw Grants Unauthenticated Site Admin Access
Cisco disclosed CVE-2026-20223, a critical CVSS 10.0 vulnerability in Cisco Secure Workload Cluster Software that allows an unauthenticated remote attacker to gain Site Admin privileges by sending crafted requests to internal REST API endpoints. The flaw stems from insufficient authentication and access validation (CWE-306) and affects both SaaS and on-premises deployments, enabling access to site resources, exposure of sensitive information, and configuration changes that can cross tenant boundaries.
Cisco said its hosted SaaS environments have already been remediated, while customers running affected versions must upgrade because no workaround is available. Fixed releases include 3.10.8.3 and 4.0.3.17, with the issue affecting version 3.9 and earlier, versions before 3.10.8.3, and versions before 4.0.3.17. Cisco and the Canadian Centre for Cyber Security urged administrators to review the advisory and apply updates promptly; Cisco said it is not aware of active exploitation and reported that the vulnerability was identified during internal security testing.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security urges users to apply Cisco updates
The Canadian Centre for Cyber Security issued advisory AV26-491 highlighting Cisco's May 20 security advisories and specifically calling attention to the critical Cisco Secure Workload issue. It urged administrators to review Cisco's guidance and apply the necessary updates.
Cisco releases fixed Secure Workload versions and patches SaaS deployments
Cisco made fixes available for affected on-premises deployments in versions 3.10.8.3 and 4.0.3.17, with no workaround provided. Cisco also stated that its hosted SaaS environments had already been remediated and that it was not aware of active exploitation.
Cisco publishes advisory for CVE-2026-20223 in Secure Workload
Cisco disclosed CVE-2026-20223, a critical unauthorized API access vulnerability in Cisco Secure Workload caused by insufficient validation and authentication on internal REST API endpoints. The flaw can let an unauthenticated remote attacker gain Site Admin privileges, access sensitive information, and make configuration changes across tenant boundaries.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Warning: Critical vulnerability in Cisco Secure Workload, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceCisco patches critical 10.0 flaw in Secure Workload APIs | news | SC Media
scworld.com
Open sourceCVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
socradar.io
Open sourceCisco Fixes CVE-2026-20223 Secure Workload API Flaw
thecyberexpress.com
Open sourceCisco serves up yet another perfect 10 bug with Secure Workload admin flaw
theregister.com
Open sourceCisco security advisory (AV26-491) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-20223 - Cisco Secure Workload Unauthorized API Access Vulnerability
cvefeed.io
Open sourceCisco Secure Workload Unauthorized API Access Vulnerability
sec.cloudapps.cisco.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco ISE Flaws Expose Networks to RCE and Sensitive Data Disclosure
Cisco disclosed two vulnerabilities in **Cisco Identity Services Engine (ISE)** and **Cisco ISE Passive Identity Connector (ISE-PIC)**, including the critical remote code execution flaw `CVE-2026-20181` and the high-severity information disclosure flaw `CVE-2026-20190`. Cisco said `CVE-2026-20181` carries a CVSS score of **9.1** and can let an authenticated attacker with valid administrative credentials execute arbitrary commands, obtain user-level access, potentially escalate privileges to root, and in single-node deployments trigger a denial-of-service condition. The second flaw, rated **7.5**, can allow an unauthenticated attacker to access sensitive information such as hashed credentials because of improper authorization checks. The affected software includes all releases prior to **3.3**, versions before **3.3 Patch 11** in release 3.3, versions before **3.4 Patch 6** in release 3.4, and versions before **3.5 Patch 4** in release 3.5, according to the Canadian Centre for Cyber Security notice summarizing Cisco’s advisories. Cisco said the vulnerabilities are independent, no workarounds are available, and no confirmed exploitation had been reported at disclosure time. Authorities urged administrators to review Cisco’s advisories and apply the available updates immediately.
Jun 29, 2026
Critical Cisco Webex SSO Flaw Allowed Remote User Impersonation
Cisco disclosed a critical certificate validation vulnerability in cloud-based **Webex Services** that could let an unauthenticated remote attacker bypass authentication and impersonate legitimate users in environments using single sign-on through **Webex Control Hub**. The flaw, tracked as `CVE-2026-20184` and rated **CVSS 9.8**, stems from improper certificate validation in the SSO implementation (`CWE-295`), which could cause malicious authentication tokens to be accepted as valid. Cisco said it patched the backend cloud service, but affected organizations must also manually upload a new **SAML certificate** for their Identity Provider in Webex Control Hub to fully remediate the issue. The company said there are **no workarounds**, warned that customers who do not update their SAML certificates may remain exposed and could face service disruption, and added that the vulnerability was found during internal security testing with **no known public exploitation** reported at disclosure.
Jun 29, 2026
Cisco Patches Actively Exploited Root Escalation Flaw in SD-WAN Manager
Cisco released fixes for **CVE-2026-20262**, an actively exploited vulnerability in **Cisco Catalyst SD-WAN Manager** (`vManage`) that allows an authenticated remote attacker with low privileges to upload or overwrite files through crafted HTTP requests and ultimately execute commands as **root**. The flaw stems from insufficient validation of user-supplied input during file uploads in the web UI and affects **all deployment models**, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments. Cisco said it became aware of in-the-wild exploitation in June and urged customers to patch immediately, warning that the product’s central role in orchestrating SD-WAN fabrics raises the operational impact of compromise. The company published indicators of compromise tied to uploaded `.jsp` and `.war` files, including filenames such as `index.jsp` and `suspicious.war`, and advised defenders to inspect `vmanage-server`, `vmanage-appserver`, and `serviceproxy-access` logs, reduce internet exposure, audit accounts, and contact TAC with an admin-tech file if intrusion is suspected.
Jun 29, 2026