Webex SSO impersonates any user, unauth (CVE-2026-20184)

Patch now - CVE-2026-20184 is a critical authentication bypass in Cisco Webex Services that grants an unauthenticated remote attacker the ability to impersonate any legitimate user and compromise all organizational communications. Apply the update via Cisco Webex Control Hub immediately.

Overview

A critical security vulnerability in Cisco Webex Services could have allowed a remote attacker with no credentials to impersonate any legitimate user. The flaw, tracked as CVE-2026-20184, resided in the integration between single sign-on (SSO) and the Webex Control Hub. It has been assigned the maximum CVSS score of 9.8.

Vulnerability Details

The vulnerability was caused by improper certificate validation during the SSO process. Prior to being addressed, an attacker could exploit this by connecting to a specific service endpoint and supplying a specially crafted authentication token. Because the system did not properly validate this token, the attack would succeed without requiring any user interaction or prior access.

Impact

A successful exploit would grant the attacker unauthorized access to Cisco Webex services with the privileges of any user they chose to impersonate. This could lead to a complete compromise of organizational communications, including access to sensitive meetings, messages, files, and user data. The attack is network-based and requires no user interaction, making it highly severe.

Remediation and Mitigation

Cisco has released updates that address this vulnerability. Administrators must apply the provided patches through the Cisco Webex Control Hub interface. There are no known workarounds for this flaw; patching is the only effective mitigation.

To remediate:

1. Log in to the Cisco Webex Control Hub.
2. Navigate to the service settings and apply all available updates.
3. Ensure the update process completes successfully across your organization’s Webex deployment.

Organizations should prioritize this update due to the critical severity and straightforward exploitation path.

Security Insight

This vulnerability highlights the acute risk in trust relationships between core identity services (like SSO) and application platforms. A single validation lapse at this integration point bypasses all other security layers, enabling total impersonation. Similar SSO and token validation flaws have been root causes in major breaches across other SaaS platforms, underscoring the need for rigorous, defense-in-depth security testing of authentication bridges.

Update - May 2026

Since the original April 15 advisory, Cisco released a fixed Webex Services build (v2026.03.2-107) on May 5, patching the SSO token validation flaw. No additional patches or workarounds have been issued for unsupported versions.

The CVE remains absent from CISA’s Known Exploited Vulnerabilities catalog as of mid-May, though monitoring continues. EPSS probability rose marginally from 0.00067 to 0.0007 (21st percentile), indicating low but stable threat-actor interest.

No related CVEs in the Webex Control Hub or broader SSO integration layer have been disclosed this month. Publicly reported exploitation is limited to PoC code published on May 10 by a Chinese researcher (Weibo handle @Sec_Alpha_0x3), demonstrating token replay against unpatched tenants. No signatures have been added to major IDS/IPS systems as of May 14.

Defenders should prioritize applying the May 5 build if not yet deployed, audit SSO session logs for anomalous token reuse patterns (e.g., identical JWT claims across different source IPs), and restrict Control Hub access by IP allowlist where feasible. Given the low EPSS and no KEV listing, urgency is moderate but should not delay patching in environments using SSO for admin access.

Further Reading

• Interlock Ransomware Exploits Cisco FMC Zero-Day
• CISA Warns of Zimbra, SharePoint Exploits; Cisco
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs