CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-20223

CVSS 10.0v3.1pub. 2026-05-20upd. 2026-06-30

A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user. 

🤖 AI Analysis
How it works

The vulnerability exists due to insufficient validation and lack of authentication when accessing specific REST API endpoints. An attacker can exploit the vulnerability by sending a properly crafted API request to the vulnerable endpoint without possessing any credentials. Successful execution of the attack allows operation with full Site Admin user privileges, which includes access to resources of multiple tenants.

Impact

An attacker can read sensitive information and make configuration changes throughout the system, crossing tenant boundaries, with the highest administrative role privileges — Site Admin.

Mitigation & patch

Apply patches available from the vendor according to references: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy

Who is affected

Cisco Secure Workload — versions indicated in vendor references.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Cisco Secure Workload

    APP
    Cisco
    < 3.10.8.34.0 – 4.0.3.17 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2023-20136MEDIUM4.3ten sam produkt

A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the...

CVE-2026-20182CRITICAL10.0⚠ KEVPL ✓ten sam vendor

Cisco Catalyst SD-WAN — pominięcie uwierzytelnienia z dostępem administracyjnym

CVE-2026-20131CRITICAL10.0⚠ KEVPL ✓ten sam vendor

RCE przez insecure deserialization w Cisco Secure Firewall Management Center

CVE-2026-20127CRITICAL10.0⚠ KEVPL ✓ten sam vendor

Cisco Catalyst SD-WAN — ominięcie uwierzytelnienia peering i przejęcie uprawnień

CVE-2025-20393CRITICAL10.0⚠ KEVPL ✓ten sam vendor

RCE z uprawnieniami root w Cisco Secure Email Gateway i Secure Email and Web Manager