A maximum-severity flaw in Cisco Secure Workload requires no credentials, no user interaction, and no special network position — any attacker with network access to the platform can claim full administrative control of the system by sending crafted requests to its internal REST API.
CVE-2026-20223: No Authentication, Full Admin Access
Cisco has disclosed CVE-2026-20223, a missing-authentication vulnerability in Cisco Secure Workload’s internal REST API endpoints. The flaw carries a CVSS score of 10.0 — the maximum — with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. An unauthenticated remote attacker can send crafted API requests to the affected endpoints and obtain Site Admin-level privileges without supplying any credentials.
Site Admin access on Cisco Secure Workload is not a limited administrative role. The platform provides microsegmentation, application dependency mapping, and zero-trust policy enforcement across hybrid cloud and data center environments, and Site Admin grants cross-tenant read and configuration capability across all managed workloads.
Cisco Secure Workload 3.9: No Patch Available, Migration Required
Three release lines are affected. Cisco Secure Workload 3.9 and earlier has no available patch; organizations on those versions must migrate to a supported release and cannot remediate by applying a configuration change. Version 3.10 is patched in release 3.10.8.3, and version 4.0 is patched in release 4.0.3.17. Cisco has already patched SaaS deployments it manages directly.
Cisco’s advisory explicitly states that no workarounds exist for the vulnerability. For organizations running 3.9 or earlier, migration is the only path to remediation.
CVE-2026-20223 Unobserved in Active Attacks as of Cisco Advisory
Cisco’s advisory states that no active exploitation had been observed as of the time of publication. The combination of a CVSS 10.0 score, no authentication requirement, and network-level accessibility creates an extremely low barrier to weaponization, however, and unsupported versions of the platform have no patch path available.
What CVE-2026-20223’s CVSS 10.0 Score Means for Zero-Trust Workload Deployments
The maximum CVSS score reflects a specific set of conditions that converge on this vulnerability. The attack vector is network-accessible, complexity is low, no privileges are required, no user interaction is needed, the scope impact extends beyond the vulnerable component, and all three impact dimensions — confidentiality, integrity, and availability — are rated high. Each factor is present simultaneously in CVE-2026-20223.
Cisco Secure Workload is deployed in environments where its core function is enforcing segmentation and zero-trust policies across multi-tenant workloads. An attacker who achieves Site Admin access on such a platform has visibility into and control over the policy infrastructure that other security controls depend on, spanning both hybrid cloud and data center deployments.
