Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.
This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.
AnalysisAI
Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.
Technical ContextAI
Cisco Secure Workload (formerly Tetration) is Cisco's microsegmentation and workload protection platform that enforces zero-trust policy across data center and cloud workloads, exposing both customer-facing and internal REST APIs for management and telemetry. The root cause maps to CWE-306 (Missing Authentication for Critical Function): internal REST API endpoints fail to perform sufficient authentication and access validation, so requests reach privileged handlers without the caller having to prove identity. Because Secure Workload is multi-tenant, the absence of authentication on internal endpoints also collapses the tenancy boundary, letting a caller operate with the global Site Admin role rather than a scoped tenant role. The affected CPE is cpe:2.3:a:cisco:cisco_secure_workload across a wide range of 1.x through 4.x train builds enumerated in the EUVD record.
RemediationAI
Patch available per vendor advisory - upgrade to the fixed Cisco Secure Workload release identified in cisco-sa-csw-pnbsa-g8WEnuy (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy); exact fixed version is not enumerated in the input data and should be taken from that advisory at upgrade-planning time. Until patching is complete, restrict network reachability to the Secure Workload management and API interfaces by allow-listing only trusted operator subnets and segmentation orchestrators at upstream firewalls or load balancers, which limits exposure of the vulnerable internal REST endpoints at the cost of breaking any out-of-band tooling that currently reaches the cluster from elsewhere. Enable and review API access logs for anomalous unauthenticated requests to internal endpoints and rotate Site Admin credentials and API tokens after upgrading, since pre-patch access could have produced persistent configuration changes.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31131
GHSA-p3hw-qj46-c684