Cisco CVE-2026-20223 vulnerability Secure Workload authentication bypass

Cisco's Latest Perfect 10: Secure Workload Flaw Hands Attackers Admin Privileges for Free

27 May 2026

Cisco has disclosed a maximum severity (CVSS 10.0) vulnerability, CVE-2026-20223, in its Secure Workload platform, which allows unauthenticated attackers to gain Site Admin privileges by sending crafted API requests to poorly validated internal REST API endpoints. A successful exploit could enable attackers to read sensitive data and make configuration changes across tenant boundaries, affecting both SaaS and on-premises deployments. Cisco says no workarounds exist, fixed versions have been released, and cloud-hosted deployments have already been patched, though the flaw marks another in a growing string of perfect-10 vulnerabilities from the networking giant.

Cisco has disclosed another maximum-severity vulnerability, and this one is about as bad as it gets. CVE-2026-20223 scores a perfect 10.0 on the CVSS scale and affects the company's Secure Workload platform across both SaaS and on-premises deployments.

The root cause is poor validation and authentication on internal REST API endpoints. No credentials required, no user interaction needed. An unauthenticated attacker simply sends crafted API requests and can walk away with Site Admin privileges. From there, they can read sensitive data and push configuration changes across tenant boundaries.

That last part is the bit that should make cloud customers sit up. Multi-tenant infrastructure runs on the assumption that a breach in one tenancy stays in that tenancy. Cross-tenant privilege escalation breaks that assumption entirely, which is a different category of bad from a run-of-the-mill remote code execution bug.

Cisco's advisory clarifies the vulnerable endpoints are internal REST APIs rather than the standard web management interface. That distinction is technically accurate and practically meaningless when the severity score is still a 10.

There are no workarounds. Customers need to patch. Secure Workload 3.10 users should move to 3.10.8.3, and 4.0 users need 4.0.3.17. Anyone still on version 3.9 or earlier is being directed to migrate to a supported release. The good news, if you can call it that, is that Cisco's cloud-hosted SaaS deployments have already been patched and need no action from customers.

Cisco says it found the flaw through internal security testing and has no evidence of active exploitation. That's reassuring for about five minutes. Unauthenticated, remotely exploitable, maximum severity bugs rarely stay unnoticed once they're public.

This lands less than a week after Cisco patched another 10.0-rated flaw, that one in SD-WAN systems and also capable of granting attackers administrator access. The company has spent much of the past year churning out advisories for critical flaws across firewalls, identity platforms, management tools, and enterprise networking kit.

At this rate, a perfect CVSS score is starting to look less like an exceptional event and more like a quarterly tradition at Cisco HQ.