CVE-2026-20223 is assigned a maximum CVSS base score of 10.0. The vulnerability allows remote, completely unauthenticated threat actors to cross isolated tenant boundaries and gain full control over data center and cloud infrastructure configurations.
Affected Product
Cisco Secure Workload
Root Cause
The flaw stems from insufficient validation and authentication in REST API endpoints. Remote attackers could exploit the flaw by sending crafted API requests and potentially gain Site Admin privileges with access to site resources.
The root cause lies in insufficient validation and authentication mechanisms governing Cisco Secure Workload’s internal REST API endpoints. Because the underlying internal REST APIs fail to safely challenge and verify incoming requests, an attacker needs no prior foothold, valid cryptographic token, or active session cookie to manipulate the target system.
Exploitation Mechanics
An attacker can exploit this by sending a specially crafted API request. This request bypasses the intended access controls, allowing the attacker to interact with site resources as if they possessed the Site Admin role. The exact vulnerable API endpoint or specific parameters are not named in the CVE data, suggesting a broad issue with access validation across internal APIs rather than a single, isolated flaw.
Exploitation requires no prior authentication — an attacker only needs remote network access to send a crafted API request to an affected endpoint. No public PoC exists at the time of writing.
Impact
A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.
All three impact pillars are rated High:
- Confidentiality — Sensitive data readable across tenant boundaries
- Integrity — Unauthorized configuration changes possible across tenant scope
- Availability — Malicious disruption of workload operations feasible
The scope is marked Changed (C) in the CVSS vector, meaning a successful exploit extends beyond the vulnerable component into other tenant environments.
Exploit Status
As of May 20, 2026, there are no confirmed reports of active exploitation. However, the vulnerability’s low attack complexity and critical impact make it a high-risk issue if left unpatched.
Remediation
- Patch to the latest Cisco Secure Workload version immediately — Cisco has released fixes
- Restrict network-level access to Secure Workload management APIs using firewall rules or ACLs
- Audit API access logs for anomalous unauthenticated request patterns to internal REST endpoints
- Implement strict access controls and enforce authentication at the API gateway layer
- If immediate patching is not feasible, isolate the management plane from untrusted networks as a temporary control
