Executive Summary
A CVSS 10.0 critical authentication bypass in Cisco Secure Workload allows an unauthenticated, remote attacker to access internal REST APIs with the full privileges of the Site Admin role. The flaw stems from insufficient validation and authentication when accessing internal REST API endpoints — no credentials are required to exploit this vulnerability.
Successful exploitation grants complete platform access, enabling an attacker to enumerate workloads, modify segmentation policies, and potentially pivot to connected infrastructure.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE | CVE-2026-20223 |
| CVSS Score | 10.0 (Critical) |
| Product | Cisco Secure Workload |
| Attack Vector | Network |
| Authentication Required | None |
| Privileges Gained | Site Admin |
| Published | 2026-05-20 |
| Source | NVD / Cisco Security Advisory |
Technical Analysis
The vulnerability exists in the access validation logic of Cisco Secure Workload's internal REST APIs. Under normal operation, these APIs are restricted to authenticated administrators. However, due to insufficient validation during authentication and access control evaluation, a remote attacker can bypass these controls entirely without any credentials.
Successful exploitation allows the attacker to:
- Access all site resources with Site Admin privileges
- Modify platform configuration including network policies and segmentation rules
- Enumerate workloads, agents, and network telemetry
- Create or delete administrative accounts
- Potentially pivot to workloads and services managed by the platform
With a CVSS score of 10.0 — the maximum possible — this vulnerability requires immediate attention. The combination of network accessibility, zero authentication requirement, and maximum privilege impact places it in the highest-priority patching tier.
Affected Products
- Cisco Secure Workload — refer to the Cisco Security Advisory for specific affected software versions and fixed releases
Recommended Actions
- Consult the Cisco Security Advisory immediately for affected version ranges and available patches
- Apply vendor patches on an emergency basis — CVSS 10.0 warrants same-day or next-day patching priority
- Restrict network access to Cisco Secure Workload management interfaces at the firewall/network layer as an interim control
- Audit Site Admin activity logs for any unauthorized access or configuration changes since 2026-05-20
- Monitor internal REST API endpoints for requests originating from unexpected sources
- Segment management traffic to limit exposure of the administrative plane