CVE-2026-20223 (CVSS 10.0): Unauthenticated REST API Auth Bypass in Cisco Secure Workload Grants Cross-Tenant Site Admin Privileges

Cisco disclosed CVE-2026-20223, a maximum-severity flaw in Secure Workload's internal REST APIs affecting both SaaS and on-premises deployments that allows an unauthenticated remote attacker to read sensitive data and modify configurations across tenant boundaries with full Site Admin privileges — no credentials, user interaction, or elevated complexity required. The disclosure follows last week's separately exploited CVSS 10 SD-WAN flaw (CVE-2026-20182) actively abused by UAT-8616, suggesting accelerating exploitation interest in Cisco management-plane targets. No workarounds exist; on-premises customers must patch to 3.10.8.3 or 4.0.3.17 immediately as PSIRT reports no public PoC yet, but the attack surface is fully pre-authenticated.

The disclosure follows last week's separately exploited CVSS 10 SD-WAN flaw (CVE-2026-20182) actively abused by UAT-8616, suggesting accelerating exploitation interest in Cisco management-plane targets.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:

cve-2026-20223 · cisco-secure-workload · unauthenticated-rce · tenant-isolation-bypass · rest-api · zero-trust-bypass

⚿

STAY AHEAD OF THREATS

Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.

SUBSCRIBE — $29/MO →

SHARE BRIEF:✕ Post on X in Share on LinkedIn