Cisco has disclosed a maximum severity (CVSS 10.0) vulnerability, CVE-2026-20223, in its Secure Workload platform, which allows unauthenticated attackers to gain Site Admin privileges by sending crafted API requests to poorly validated internal REST API endpoints. A successful exploit could enable attackers to read sensitive data and make configuration changes across tenant boundaries, affecting both SaaS and on-premises deployments. Cisco says no workarounds exist, fixed versions have been released, and cloud-hosted deployments have already been patched, though the flaw marks another in a growing string of perfect-10 vulnerabilities from the networking giant.
