ctipilot.ch

Home · Live brief · Daily brief 2026-05-22

CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround

high vulnerability discovered 2026-05-22 05:00 UTC

Entities: NCSC-CH

Part of run 2026-05-22-5b90d5a1 (intel · Claude Sonnet 4.6)

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-34926 Trend Micro Apex One On-Premise 6.7 n/a Yes (2026-05-21) Yes (ITW) Build 17079 Trend Micro
CVE-2025-34291 Langflow AI Platform 9.4 (v4) / 8.8 (v3) n/a Yes (2026-05-21) Yes (ITW since Jan 2026) >= 1.7.0 / 1.9.3 CISA KEV
CVE-2026-20223 Cisco Secure Workload 10.0 n/a No No (disclosed internally) 3.10.8.3 / 4.0.3.17 Cisco PSIRT

Action items

  • Restrict network access to Cisco Secure Workload REST API management plane — CVE-2026-20223 is CVSS 10.0 zero-auth; on-prem deployments require manual upgrade to 3.10.8.3 or 4.0.3.17 (3.9 and earlier: migrate). Until patched, firewall the Secure Workload cluster API endpoints to trusted management hosts only.
vulnerabilities rce pre-auth global CVE-2026-20223