“This is the absolute worst-case scenario,” he added. “Because of how vital this platform is to large enterprises, threat actors will be aggressively scanning for unpatched API endpoints to exploit.”
The urgency of addressing this immediately was echoed by Fred Chagnon, principal research director at Info-Tech Research Group. An attacker could modify or dismantle an enterprise’s security policies, he pointed out, effectively opening doors within the environment that were deliberately closed.
‘Blast radius could be significant’
“Because this access operates at the site admin level and crosses tenant boundaries,” he added, “the blast radius in a multi-tenant deployment could be significant, potentially exposing or compromising workloads and data belonging to multiple business units or customers.”
Cisco assigned this flaw (CVE-2026-20223) a maximum CVSS score of 10.0 because it allows an unauthenticated, remote attacker to bypass authentication entirely. By sending a crafted HTTP request to an internal REST API endpoint, the threat actor instantly gains site admin privileges.
