CVE-2026-20223 CRITICAL

CVE-2026-20223: Cisco Secure Workload Unauthorized API Access Vulnerability

Vendor Cisco
Product Cisco Secure Workload
Weakness CWE-306 · Missing auth
Published May 20, 2026
Last update May 21, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user. 

Key dates

02Disclosure timeline

May 20, 2026 CVE published
May 21, 2026 Record updated