Critical Cisco Secure Workload Vulnerability Allows Unauthenticated Site Admin Access (CVE-2026-20223)

The vulnerability is caused by insufficient validation and authentication for internal REST API endpoints. An attacker could exploit the issue by sending a crafted API request to a vulnerable endpoint without authentication.

Successful exploitation could allow an attacker to:

• Access site resources with Site Admin privileges
• Read sensitive information
• Modify configuration data across tenant boundaries
• The vulnerability affects Cisco Secure Workload Cluster Software in both SaaS and on-premises environments, regardless of device configuration. Cisco states that the issue affects only internal REST APIs and does not impact the web-based management interface.

Cisco has released fixed software versions to remediate the issue. No workarounds are available, and customers are strongly advised to upgrade to a fixed release as outlined in the advisory.

Affected Products

Cisco Secure Workload Release 3.10
Cisco Secure Workload Release 3.9 and earlier
Cisco Secure Workload Release 4.0

Exploitation

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability according to their advisory[1].

Recommended Actions

Truesec recommends that you apply fixes according to the table provided by Cisco, see below:

• Cisco Secure Workload Release 3.9 and earlier – Migrate to a fixed release
• Cisco Secure Workload Release 3.10 – Fixed in 3.10.8.3
• Cisco Secure Workload Release 4.0 – Fixed in 4.0.3.17

There are no mitigations available.

References

[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy