CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround
From CTI Daily Brief — 2026-05-22 · published 2026-05-22 · view item permalink →
CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-34926 | Trend Micro Apex One On-Premise | 6.7 | n/a | Yes (2026-05-21) | Yes (ITW) | Build 17079 | Trend Micro |
| CVE-2025-34291 | Langflow AI Platform | 9.4 (v4) / 8.8 (v3) | n/a | Yes (2026-05-21) | Yes (ITW since Jan 2026) | >= 1.7.0 / 1.9.3 | CISA KEV |
| CVE-2026-20223 | Cisco Secure Workload | 10.0 | n/a | No | No (disclosed internally) | 3.10.8.3 / 4.0.3.17 | Cisco PSIRT |