"An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint," Cisco said. "A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user."
CVE-2026-20223: insufficient validation in Secure Workload REST APIs
Cisco disclosed a maximum-severity vulnerability in its Secure Workload product, tracked as CVE-2026-20223 and assigned a CVSS score of 10.0. According to the company, the flaw stems from insufficient validation and authentication when accessing REST API endpoints. An unauthenticated, remote attacker who can send a crafted API request to an affected endpoint could read sensitive information and make configuration changes across tenant boundaries with Site Admin privileges.
Cisco Secure Workload: affected releases and fixes
The shortcoming affects Cisco Secure Workload Cluster Software on both SaaS and on-premises deployments, and Cisco said the exposure exists regardless of device configuration. There are no workarounds that address the vulnerability, the company warned. Cisco listed fixed releases and upgrade guidance:
- Cisco Secure Workload Release 3.9 and earlier — "Migrate to a fixed release"
- Cisco Secure Workload Release 3.10 — Fixed in 3.10.8.3
- Cisco Secure Workload Release 4.0 — Fixed in 4.0.3.17
Discovery and current exploitation status
Cisco said it discovered the vulnerability during internal security testing. As of its disclosure, the company reported there is no evidence that CVE-2026-20223 has been exploited in the wild. Despite that assurance, Cisco's advisory makes clear that the flaw requires prompt remediation because it grants powerful Site Admin-level capabilities across tenant boundaries if successfully exploited.
Connection to the recent Catalyst SD-WAN incident
The disclosure arrives one week after Cisco revealed another maximum-severity authentication bypass in Catalyst SD-WAN Controller — CVE-2026-20182, also scored 10.0. Cisco said that flaw has been exploited by a threat actor known as UAT-8616 to gain unauthorized access to SD-WAN systems. The back-to-back disclosures underline that multiple high-severity issues affecting Cisco products have surfaced in a short period.
What this means for technologists and security teams, affected enterprises, and threat actors
- Technologists and security teams: The lack of a workaround and the availability of fixed releases mean patching or migrating to the listed fixed builds is the primary remediation path. Teams managing Secure Workload in SaaS or on-prem deployments must treat this as a high-priority upgrade task.
- Affected enterprises: Organizations running releases 3.9 and earlier must migrate to a fixed release; those on 3.10 or 4.0 should upgrade to 3.10.8.3 or 4.0.3.17 respectively. The advisory's mention of tenant-boundary configuration changes raises particular concern for multi-tenant environments and service providers.
- Threat actors: Cisco's note that there is no evidence of exploitation to date does not preclude opportunistic misuse. The recent exploitation of CVE-2026-20182 by UAT-8616 demonstrates adversaries will attempt to weaponize critical flaws in Cisco products when possible.
Cisco's publication closes a narrow window between discovery and remediation: the company found the vulnerability internally and released fixes, while also signaling the absence of wild exploitation. Still, the simultaneous presence of another actively exploited, maximum-severity SD-WAN flaw a week earlier sharpens the operational imperative for users of these products to upgrade without delay.




