Cisco Secure Workload Flaw Enables Unauthorized API Access

Cisco has disclosed a critical vulnerability in its Secure Workload platform that could allow unauthenticated remote attackers to gain Site Admin-level access through unprotected internal REST API endpoints.

The flaw, tracked as CVE-2026-20223, carries a maximum CVSS base score of 10.0, placing it among the most severe security issues Cisco has publicly disclosed.

The vulnerability stems from insufficient validation and authentication when accessing internal REST API endpoints within Cisco Secure Workload.

Cisco Secure Workload Flaw

An attacker who can send a crafted API request to an affected endpoint could exploit the flaw without any credentials, effectively bypassing all access controls.

A successful exploit grants the attacker the full privileges of the Site Admin role, the highest administrative tier in the platform, enabling them to read sensitive information and make configuration changes across tenant boundaries.

This cross-tenant exposure is particularly alarming in multi-tenant enterprise environments, where workload isolation is a core security requirement, Cisco said.

Classified under CWE-306 (Missing Authentication for Critical Function), the flaw affects both SaaS and on-premises deployments of Cisco Secure Workload Cluster Software, regardless of device configuration.

Cisco clarified that the vulnerability impacts only internal REST APIs and does not affect the web-based management interface.

Affected Versions and Fixed Releases

Cisco has confirmed the following affected and patched release matrix:

Cisco Secure Workload Release	First Fixed Release
3.9 and earlier	Migrate to a fixed release
3.10	3.10.8.3
4.0	4.0.3.17

Organizations running release 3.9 or earlier must migrate to a supported fixed release, as no patch is being backported to those versions. For SaaS deployments, Cisco has already addressed the vulnerability at the cloud infrastructure level, requiring no user action.

Cisco explicitly confirmed that no workarounds exist for this vulnerability. Patching to a fixed release is the only remediation path for on-premises deployments.

According to Cisco’s (PSIRT), the vulnerability was discovered during internal security testing and has not been publicly announced or exploited in the wild before this advisory.

While this limits immediate risk, the critical CVSS 10.0 score and the absence of authentication requirements make it a high-priority patching target, and threat actors routinely monitor Cisco advisories to reverse-engineer exploits shortly after disclosure.

Mitigation:

Security teams should take the following immediate steps:

• Identify the deployment type, and confirm whether your environment uses SaaS or on-premises Cisco Secure Workload
• Apply patches immediately, upgrade to release 3.10.8.3 or 4.0.3.17 as applicable
• Audit API access logs for anomalous REST API calls targeting internal endpoints
• Review tenant boundaries and admin privilege assignments following patching
• Monitor Cisco PSIRT for any updated exploitation indicators

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Cisco Secure Workload Flaw Enables Unauthorized API Access appeared first on Cyber Security News.