Cisco has rolled out updates for a maximum-severity security flaw impacting Safe Workload that would permit an unauthenticated, distant attacker to entry delicate information.
Tracked as CVE-2026-20223 (CVSS rating: 10.0), the vulnerability arises from inadequate validation and authentication when accessing REST API endpoints.
“An attacker may exploit this vulnerability if they can ship a crafted API request to an affected endpoint,” Cisco stated. “A profitable exploit may permit the attacker to learn delicate data and make configuration modifications throughout tenant boundaries with the privileges of the Website Admin person.”
The shortcoming impacts Cisco Safe Workload Cluster Software program on SaaS and on-prem deployments, no matter system configuration. Cisco stated there are not any workarounds that tackle the vulnerability.
The problem has been addressed within the following variations –
- Cisco Safe Workload Launch 3.9 and earlier (Migrate to a set launch)
- Cisco Safe Workload Launch 3.10 (Fastened in 3.10.8.3)
- Cisco Safe Workload Launch 4.0 (Fastened in 4.0.3.17)
The networking tools main stated it discovered the vulnerability throughout inside security testing and that there isn’t any proof of it being exploited within the wild.
The disclosure comes every week after Cisco revealed that one other maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller (CVE-2026-20182, CVSS rating: 10.0) has been exploited by a risk actor often called UAT-8616 to achieve unauthorized entry to SD-WAN techniques.
