Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Authentication bypass in Cisco Secure Workload internal REST APIs

IdentifiersCVE-2026-20223CWE-306· Missing Authentication for…

CVE-2026-20223 is a critical authentication and access-validation flaw in the internal REST API endpoints of Cisco Secure Workload Cluster Software. The issue is caused by insufficient validation and authentication when processing requests to affected internal API endpoints. A remote attacker can send a crafted API request to a vulnerable endpoint without prior authentication and gain access to site resources with the privileges of the Site Admin role. Cisco states the flaw affects both SaaS and on-premises Secure Workload deployments, although the web-based management interface is not affected. Successful exploitation can cross tenant boundaries, allowing unauthorized access to sensitive information and administrative configuration functions.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a completely unauthenticated remote attacker to bypass intended authorization boundaries and operate with Site Admin-level privileges. This can expose sensitive information, enable unauthorized configuration changes, and affect resources across tenant boundaries in multi-tenant environments. Based on the published CVSS vector and Cisco’s description, the vulnerability has high confidentiality, integrity, and availability impact, with changed scope because compromise can extend beyond the vulnerable component into other tenant contexts or managed infrastructure.

Mitigation

If you can’t patch tonight, do this now.

Cisco states there are no vendor-provided workarounds for this vulnerability. Until patching is completed for on-premises deployments, exposure can only be reduced through compensating controls such as restricting network access to Secure Workload internal API endpoints and management-plane components, isolating those interfaces from untrusted networks, and closely monitoring API access logs and configuration changes for anomalous unauthenticated or suspicious activity. These measures do not remediate the flaw and should be treated only as temporary risk reduction.

Remediation

Patch, then assume compromise.

Upgrade affected Cisco Secure Workload deployments to fixed releases. Cisco states Secure Workload Release 3.10 is fixed in version 3.10.8.3 and Release 4.0 is fixed in version 4.0.3.17. Deployments on Release 3.9 and earlier should migrate to a supported fixed release. Cisco-hosted SaaS environments have already been remediated and require no customer action. Cisco states there are no workarounds, so installing fixed software is the required remediation.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2026-20223MaturityPoCVerified exploit

This repository is a small standalone PoC repository for CVE-2026-20223 targeting Cisco Secure Workload. It contains 5 files total: a README and license, plus two executable PoC implementations—one in Python and one in Bash. The Python script defines a CiscoSecureWorkloadPoC class, sets up a requests session with TLS verification disabled, enumerates a list of privileged REST API endpoints, performs unauthenticated GET requests to identify exposed resources, and then attempts POST requests with JSON user-creation data when an endpoint appears accessible. It also includes a dedicated create_admin_user() routine that posts directly to /api/v1/users to create a Site Admin account. The Bash script mirrors the same logic using curl, logs results, stores temporary responses under /tmp, and tests one extra endpoint (/api/v1/config). Overall, the exploit capability is unauthorized access to privileged web API endpoints and potential unauthenticated creation of a high-privilege administrative user. This is not merely a detector: it includes active exploitation behavior via POST requests and hardcoded account-creation payloads, making it an operational PoC rather than a passive scanner.

HORKimhabDisclosed May 22, 2026pythonbashwebnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsSecure Workloadapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

63 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

63 SOURCESView more in app
scworldNews
May 22, 2026
Cisco patches critical 10.0 flaw in Secure Workload APIs | news | SC Media

A critical CVSS 10.0 authentication-related vulnerability in the internal APIs of Cisco Secure Workload that could expose a highly privileged zero-trust segmentation platform.

Read more
thecyberexpress com vulnerabilitiesNews
May 22, 2026
Cisco Fixes CVE-2026-20223 Secure Workload API Flaw

A critical authentication/authorization flaw in Cisco Secure Workload internal REST API endpoints that could allow an unauthenticated remote attacker to read sensitive information and make configuration changes across tenant boundaries with Site Admin-level privileges.

Read more
the hacker newsNews
May 22, 2026
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access

A maximum-severity authentication and validation flaw in Cisco Secure Workload REST API endpoints that could allow an unauthenticated remote attacker to read sensitive information and make configuration changes across tenant boundaries with Site Admin privileges.

Read more
cyberthroneNews
May 22, 2026
CVE-2026-20223 - Cisco Secure Workload Authentication Bypass - TheCyberThrone

A critical improper authentication/access control vulnerability in Cisco Secure Workload internal REST API endpoints that allows unauthenticated remote attackers to send crafted API requests, gain Site Admin privileges, and access or modify resources across tenant boundaries.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity54

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-20223
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20223
MITRE CWE · CWE-306
Missing Authentication for Critical Function
sec.cloudapps.cisco.com
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy