Cisco patches critical unauthenticated REST API flaw in Secure Workload
Cisco fixed a high-severity, unauthenticated REST API vulnerability in Secure Workload (CVE-2026-20223, CVSS 10.0) that could let remote attackers read sensitive data and alter tenant configurations across boundaries with Site Admin privileges. The flaw affects Secure Workload Cluster Software on SaaS and on-prem deployments with no available workarounds; patches are available in Release 3.10.8.3 (3.10) and 4.0.3.17 (4.0), with users of 3.9 and earlier advised to migrate. Cisco notes no known exploits in the wild at this time; the article also references a separate CVE-2026-20182 exploit in Catalyst SD-WAN Controller.