Cisco on Wednesday said it has released updates for a maximum-severity flaw in Secure Workload, tracked as CVE-2026-20223, that could let an unauthenticated remote attacker access sensitive data and change configurations with Site Admin privileges.
KEY FACTS
- Severity CVSS score of 10.0
- Impact Sensitive data exposure and configuration changes across tenant boundaries
- Affected product Cisco Secure Workload Cluster Software on SaaS and on-prem deployments
- Workarounds None that address the flaw
The issue stems from insufficient validation and authentication when REST API endpoints are accessed. Cisco said an attacker would need to send a crafted API request to an affected endpoint to exploit the bug.
The company said the flaw affects Release 3.9 and earlier, which require migration to a fixed release. Release 3.10 is fixed in 3.10.8.3, and Release 4.0 is fixed in 4.0.3.17.
Cisco said it found the vulnerability during internal security testing and has seen no evidence of exploitation in the wild. The disclosure comes a week after the company warned about another maximum-severity authentication bypass issue in Catalyst SD-WAN Controller that had been exploited by a threat actor.
WHY IT MATTERS
The flaw could expose sensitive data and allow unauthorized changes in Secure Workload environments, including across tenant boundaries. Users on affected versions are being told to move to fixed releases because no workaround is available.