Skip to main content

Cisco Secure Workload EUVDEUVD-2026-31131

| CVE-2026-20223 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-05-20 cisco GHSA-p3hw-qj46-c684
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 17:30 vuln.today

DescriptionNVD

A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role.

This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user. 

AnalysisAI

Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.

Technical ContextAI

Cisco Secure Workload (formerly Tetration) is Cisco's microsegmentation and workload protection platform that enforces zero-trust policy across data center and cloud workloads, exposing both customer-facing and internal REST APIs for management and telemetry. The root cause maps to CWE-306 (Missing Authentication for Critical Function): internal REST API endpoints fail to perform sufficient authentication and access validation, so requests reach privileged handlers without the caller having to prove identity. Because Secure Workload is multi-tenant, the absence of authentication on internal endpoints also collapses the tenancy boundary, letting a caller operate with the global Site Admin role rather than a scoped tenant role. The affected CPE is cpe:2.3:a:cisco:cisco_secure_workload across a wide range of 1.x through 4.x train builds enumerated in the EUVD record.

RemediationAI

Patch available per vendor advisory - upgrade to the fixed Cisco Secure Workload release identified in cisco-sa-csw-pnbsa-g8WEnuy (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy); exact fixed version is not enumerated in the input data and should be taken from that advisory at upgrade-planning time. Until patching is complete, restrict network reachability to the Secure Workload management and API interfaces by allow-listing only trusted operator subnets and segmentation orchestrators at upstream firewalls or load balancers, which limits exposure of the vulnerable internal REST endpoints at the cost of breaking any out-of-band tooling that currently reaches the cluster from elsewhere. Enable and review API access logs for anomalous unauthenticated requests to internal endpoints and rotate Site Admin credentials and API tokens after upgrading, since pre-patch access could have produced persistent configuration changes.

Share

EUVD-2026-31131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy