Cisco has released security updates to fix a critical vulnerability, tracked as CVE-2026-20223, affecting its Cisco Secure Workload platform. The flaw, which received the maximum CVSS score of 10.0, could allow an unauthenticated remote attacker to access sensitive information and make unauthorized configuration changes through vulnerable REST API endpoints.
The company said the issue originates from insufficient validation and authentication checks in internal REST API functions used by Secure Workload. The vulnerability has also been classified under CWE-306, a category associated with missing authentication protections for critical operations.
According to Cisco, “an attacker could exploit this vulnerability if they can send a crafted API request to an affected endpoint.” The company added that a successful exploitation of CVE-2026-20223 could allow attackers to “read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.”
CVE-2026-20223 Impacts Internal Secure Workload REST API Functions
Cisco stated in its advisory that the vulnerability affects internal REST API endpoints within Cisco Secure Workload Cluster Software. The issue impacts both SaaS and on-premises deployments regardless of device configuration.
However, the company clarified that the flaw does not affect the web-based management interface. Instead, the exposure is limited to internal API functions associated with Secure Workload infrastructure.
The advisory, identified as “cisco-sa-csw-pnbsa-g8WEnuy,” was first published on May 20, 2026, at 16:00 GMT. Cisco assigned the flaw a base CVSS score of 10.0 due to the severity of the potential impact and the lack of authentication requirements needed for exploitation. The issue is internally tracked under Cisco Bug ID CSCwt99942.
Cisco explained that the root cause behind CVE-2026-20223 is “insufficient validation and authentication when accessing REST API endpoints.” Because of these missing protections, attackers may be able to bypass authorization boundaries and gain access to site resources with Site Admin-level privileges.
Cisco Warns of Cross-Tenant Data Exposure Risks
The company warned that exploitation of CVE-2026-20223 could allow unauthorized access to sensitive information across tenant environments. Attackers could also modify configurations across tenant boundaries while operating with elevated Site Admin permissions.
The nature of the vulnerability makes it particularly severe in multi-tenant Secure Workload environments where administrative controls and segmentation are critical for protecting customer data.
Cisco also confirmed that there are currently no workarounds available to mitigate the REST API vulnerability. As a result, organizations using affected Secure Workload releases are being advised to install fixed software versions as quickly as possible.
The company stated that temporary mitigations are not enough to fully remediate the issue and strongly recommended upgrading to patched releases to avoid future exposure related to CVE-2026-20223.
Fixed Secure Workload Versions for CVE-2026-20223
Cisco released patches for affected Secure Workload versions and outlined the following fixed releases:
- Cisco Secure Workload Release 3.10 — fixed in version 3.10.8.3
- Cisco Secure Workload Release 4.0 — fixed in version 4.0.3.17
- Cisco Secure Workload Release 3.9 and earlier — customers are advised to migrate to a fixed release
The company also noted that the cloud-based Cisco Secure Workload SaaS deployment has already been secured against CVE-2026-20223. Cisco said no user action is required for SaaS customers because the fixes have already been applied to the hosted environment.
Customers requiring additional support were advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers for guidance regarding patch deployment and remediation.
Cisco Says No Active Exploitation Has Been Detected
Despite the maximum severity rating assigned to CVE-2026-20223, Cisco stated that its Product Security Incident Response Team (PSIRT) is “not aware of any public announcements or malicious use of the vulnerability” at the time of disclosure.
The company added that the vulnerability was identified during internal security testing rather than through reports of active attacks in the wild.
The disclosure highlights the increasing risks associated with insecure REST API implementations in enterprise infrastructure products. Vulnerabilities tied to CWE-306 can become especially dangerous when authentication checks are absent from critical administrative functions.
As more organizations rely on APIs to manage workloads, automate infrastructure, and support cloud-native environments, flaws like CVE-2026-20223 demonstrate how authentication weaknesses in Secure Workload platforms can expose sensitive systems and tenant data to unauthorized access.
Cisco published version 1.0 of the advisory as a final release on May 20, 2026, and has not indicated whether additional revisions related to the Secure Workload REST API vulnerability are expected.
