Cyber Resilience

CVE-2026-20184

Critical

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0052 40.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20184 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Cisco Webex Services (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2026-20184 is a vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services, caused by improper certificate validation (CWE-295). Published on 2026-04-15, it enables an unauthenticated, remote attacker to impersonate any user within the service by exploiting flawed validation mechanisms.

An unauthenticated, remote attacker can exploit this vulnerability by connecting to a service endpoint and supplying a crafted token. Successful exploitation allows the attacker to gain unauthorized access to legitimate Cisco Webex services, potentially compromising confidentiality, integrity, and availability. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to low attack complexity and lack of prerequisites.

Cisco has published a security advisory providing details on the vulnerability and mitigation, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to…

more

this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Why these techniques?

Improper cert validation in public SSO endpoint directly enables remote unauthenticated impersonation via crafted tokens (SAML/web credentials) and exploitation of exposed service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7821Shared CWE-295
CVE-2026-21228Shared CWE-295
CVE-2025-46070Shared CWE-295
CVE-2024-41334Shared CWE-295
CVE-2024-43107Shared CWE-295
CVE-2024-40702Shared CWE-295
CVE-2026-5787Shared CWE-295
CVE-2025-68121Shared CWE-295
CVE-2026-3336Shared CWE-295
CVE-2025-30277Shared CWE-295

Affected Assets

Cisco
Webex Services
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of public key infrastructure certificates under defined conditions, directly addressing improper certificate validation that enables crafted tokens to impersonate users in SSO.

prevent

Mandates controls to protect the confidentiality, integrity, and availability of authentication processes for identity providers and authorization servers, mitigating SSO integration flaws like certificate validation failures.

prevent

Provides mechanisms to assure communications session authenticity, helping prevent impersonation attacks exploiting crafted tokens in SSO sessions.

References