A critical (CVSS 10.0) authentication flaw in Cisco Secure Workload's internal REST APIs lets an unauthenticated remote attacker reach site resources and act with Site Admin privileges across tenant boundaries.
What Is It
CVE-2026-20223 is an access validation weakness (CWE-306, Missing Authentication) in the internal REST APIs of Cisco Secure Workload. According to Cisco's PSIRT advisory, the product performs insufficient validation and authentication when REST API endpoints are accessed. An attacker who can deliver a crafted API request to an affected endpoint can bypass that check and operate as if they held the Site Admin role.
The CVSS 3.1 vector, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, captures the worst-case shape of the bug: network-reachable, low complexity, no privileges required, no user interaction, and a scope change with high impact to confidentiality, integrity, and availability.
Why It Matters
Site Admin is the top-level role in Secure Workload, and the scope-changed CVSS reflects that exploitation crosses tenant boundaries. A successful exploit lets an attacker:
- Read sensitive information held by the platform.
- Make configuration changes across tenants with Site Admin privileges.
Because Secure Workload is a workload segmentation and policy product, configuration tampering at Site Admin level can directly affect the security posture of every tenant the appliance serves. The combination of unauthenticated access, network attack vector, and cross-tenant scope is what drives the 10.0 score.
What's Vulnerable
Cisco Secure Workload is named as the affected product in the NVD record. Specific fixed versions and platform builds are tracked in the Cisco Security Advisory referenced below; the NVD entry itself lists no CPE matches at time of publication (status: Awaiting Analysis).
Patch Status
The CVE was published 2026-05-20 by Cisco PSIRT and is still in NVD "Awaiting Analysis" status. Cisco's security advisory cisco-sa-csw-pnbsa-g8WEnuy is the authoritative source for fixed releases and any workarounds; administrators of Secure Workload deployments should consult it and apply the vendor-supplied fix.
CISA KEV does not list this CVE at the time of writing, so there is no public confirmation of in-the-wild exploitation yet. Given the unauthenticated, network-reachable nature of the flaw, patching should not wait on that signal.