What is the critical vulnerability Cisco disclosed in its Secure Workload platform (CVE 2026 20223), how does the flaw work through unauthenticated REST API calls, why did it receive a maximum CVSS score of 10.0 including its cross‑tenant “scope changed” impact, which versions of

Why the CVSS impact is maximum severity

• The question states that CVE-2026-20223 received a maximum CVSS score of 10.0 and involved “scope changed” cross-tenant impact, but the provided evidence does not include the CVSS vector or Cisco advisory text confirming those details.
• Based on the supplied NVD description, the severity rationale is consistent with unauthenticated remote access to resources under another user or tenant’s privileges, which implies high confidentiality and authorization impact.
• Insufficient evidence is available here to independently verify the exact CVSS 10.0 vector or the “scope changed” scoring component from the supplied sources.

Affected versions and required upgrades

• Insufficient evidence: the supplied evidence does not include Cisco Secure Workload affected-release ranges or the fixed upgrade versions for CVE-2026-20223.
• No workaround, migration path, or fixed-release table for CVE-2026-20223 is present in the provided evidence.
• The safe conclusion from the available evidence is that administrators should consult Cisco’s official advisory for the exact affected versions and required fixed releases before making upgrade decisions.

Fit within Cisco’s broader 2026 security issues

• Cisco disclosed multiple 2026 security advisories across products, including Cisco Prime Infrastructure, Cisco Unity Connection, Cisco Identity Services Engine, Cisco Nexus Dashboard, and Cisco Secure Firewall Management Center.
• Cisco Prime Infrastructure had a May 6, 2026 information-disclosure advisory with CVE-2026-20189 and a CVSS base score of 4.3.
• Cisco Unity Connection had a May 6, 2026 advisory covering remote code execution and server-side request forgery issues, CVE-2026-20034 and CVE-2026-20035, with a CVSS base score of 8.8.
• Cisco Identity Services Engine had a May 6, 2026 authentication-bypass advisory covering CVE-2026-20193 and CVE-2026-20195, with a CVSS base score of 5.3.
• Cisco Nexus Dashboard had an April 1, 2026 configuration-backup REST API vulnerability, CVE-2026-20042, with a CVSS base score of 6.5.
• Cisco Secure Firewall Management Center had a March 4, 2026 critical remote-code-execution advisory for CVE-2026-20131 with a CVSS base score of 10.0 and no workarounds.
• Cisco Secure Firewall Management Center also had a March 4, 2026 SQL-injection advisory covering CVE-2026-20001, CVE-2026-20002, and CVE-2026-20003 with a CVSS base score of 8.1.
• A New York State advisory also described multiple Cisco product vulnerabilities in 2026, noting that the most severe could allow remote code execution as root and complete compromise of an affected device.

Practical takeaway

• Treat CVE-2026-20223 as an urgent Secure Workload exposure because the available description involves unauthenticated remote access through internal REST APIs to another user’s or tenant’s resources.
• However, the provided evidence is not enough to name the affected Cisco Secure Workload versions or exact fixed releases, so those upgrade details should be verified directly against Cisco’s official advisory before remediation is finalized.