ctipilot.ch

Cisco Secure Workload internal REST API zero-auth Site Admin CVSS 10.0

cve · CVE-2026-20223

Coverage timeline
2
first 2026-05-18 → last 2026-05-25
Entries
2
2 distinct days
Sources cited
5
5 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-22CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround
    trending-vulnerabilitiesCVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround
  2. 2026-05-18CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin across all tenants, no workaround
    weekly-vuln-rollupCVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin across all tenants, no workaround

Where this entity is cited

  • weekly-vuln-rollup1
  • trending-vulnerabilities1

Source distribution

  • cisa.gov1 (20%)
  • sec.cloudapps.cisco.com1 (20%)
  • security-hub.ncsc.admin.ch1 (20%)
  • success.trendmicro.com1 (20%)
  • theregister.com1 (20%)

Related entities

Entries about Cisco Secure Workload internal REST API zero-auth Site Admin CVSS 10.0 (2)

2026-05-22 · view entry permalink →

CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-34926 Trend Micro Apex One On-Premise 6.7 n/a Yes (2026-05-21) Yes (ITW) Build 17079 Trend Micro
CVE-2025-34291 Langflow AI Platform 9.4 (v4) / 8.8 (v3) n/a Yes (2026-05-21) Yes (ITW since Jan 2026) >= 1.7.0 / 1.9.3 CISA KEV
CVE-2026-20223 Cisco Secure Workload 10.0 n/a No No (disclosed internally) 3.10.8.3 / 4.0.3.17 Cisco PSIRT
vulnerability22 May 05:00Zmulti-sourceOpen finding ↗

2026-05-18 · view entry permalink →

CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin across all tenants, no workaround

An access-validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform, lets an unauthenticated network attacker obtain Site Admin privileges across all tenants (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). There is no workaround — patching is the only remediation. No confirmed exploitation yet, but a perfect-10 zero-auth admin bug on a segmentation controller is an attractive target: compromise of the micro-segmentation fabric undermines every downstream lateral-movement control. NCSC.ch carried it on the Cyber Security Hub (post 12588). Patch on the highest-priority schedule and restrict management-plane network reachability in the interim.

vulnerability18 May 05:00Zmulti-sourceOpen finding ↗