MEDIUMCVE-2026-20152CVSS 5.3

CVE-2026-20152: Authentication Bypass in Cisco Secure Web Appliance

Platform

cisco

Component

secure-web-appliance

Fixed in

11.8.1

12.5.4

12.0.4

14.1.1

12.0.5

14.0.3

11.8.1

12.0.2

11.8.2

11.8.4

12.5.2

11.8.5

12.5.3

14.5.1

12.5.5

12.0.6

14.0.4

12.5.6

14.0.5

14.5.2

15.0.1

12.5.7

15.1.1

14.5.3

15.2.1

14.0.6

15.2.1

14.5.2

12.0.3

14.5.2

14.5.4

15.0.2

15.2.2

14.5.1

12.0.2

14.0.2

11.8.1

14.0.2

12.5.2

15.2.3

15.2.4

15.2.5

15.2.6

14.6.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-20152 describes an authentication bypass vulnerability in the Cisco Secure Web Appliance. This flaw allows an unauthenticated, remote attacker to circumvent authentication policy requirements, potentially granting unauthorized access. The vulnerability impacts versions 11.8.0 through 15.2.5-013 of the Cisco Secure Web Appliance, and a fix is currently available from Cisco.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-20152 allows an attacker to bypass authentication policies on the affected Cisco Secure Web Appliance. This means an attacker who can send crafted HTTP requests can avoid the intended security controls, potentially gaining access to resources or functionality they should not have. The impact extends beyond simple access; an attacker could potentially modify configurations or exfiltrate sensitive data depending on the appliance's role and the policies in place. While the description doesn't explicitly mention lateral movement, bypassing authentication could be a stepping stone to further compromise the network if the appliance is integrated with other systems.

Exploitation Context

CVE-2026-20152 was publicly disclosed on 2026-04-15. The CVSS score is MEDIUM (5.3), indicating a moderate risk. There is no indication of active exploitation campaigns or KEV listing at the time of writing. Public proof-of-concept exploits are currently unavailable, but the relatively straightforward nature of the vulnerability (HTTP request manipulation) suggests that one may emerge.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.08% (25% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componentsecure-web-appliance

VendorCisco

Affected rangeFixed in

11.8.0-453 – 11.8.0-45311.8.1

12.5.3-002 – 12.5.3-00212.5.4

12.0.3-007 – 12.0.3-00712.0.4

12.0.3-005 – 12.0.3-00512.0.4

14.1.0-032 – 14.1.0-03214.1.1

14.1.0-047 – 14.1.0-04714.1.1

14.1.0-041 – 14.1.0-04114.1.1

12.0.4-002 – 12.0.4-00212.0.5

14.0.2-012 – 14.0.2-01214.0.3

11.8.0-414 – 11.8.0-41411.8.1

12.0.1-268 – 12.0.1-26812.0.2

11.8.1-023 – 11.8.1-02311.8.2

11.8.3-021 – 11.8.3-02111.8.4

11.8.3-018 – 11.8.3-01811.8.4

12.5.1-011 – 12.5.1-01112.5.2

11.8.4-004 – 11.8.4-00411.8.5

12.5.2-007 – 12.5.2-00712.5.3

12.5.2-011 – 12.5.2-01112.5.3

14.5.0-498 – 14.5.0-49814.5.1

12.5.4-005 – 12.5.4-00512.5.5

12.5.4-011 – 12.5.4-01112.5.5

12.0.5-011 – 12.0.5-01112.0.6

14.0.3-014 – 14.0.3-01414.0.4

12.5.5-004 – 12.5.5-00412.5.6

12.5.5-005 – 12.5.5-00512.5.6

12.5.5-008 – 12.5.5-00812.5.6

14.0.4-005 – 14.0.4-00514.0.5

14.5.1-008 – 14.5.1-00814.5.2

14.5.1-016 – 14.5.1-01614.5.2

15.0.0-355 – 15.0.0-35515.0.1

15.0.0-322 – 15.0.0-32215.0.1

12.5.6-008 – 12.5.6-00812.5.7

15.1.0-287 – 15.1.0-28715.1.1

14.5.2-011 – 14.5.2-01114.5.3

15.2.0-116 – 15.2.0-11615.2.1

14.0.5-007 – 14.0.5-00714.0.6

15.2.0-164 – 15.2.0-16415.2.1

14.5.1-510 – 14.5.1-51014.5.2

12.0.2-012 – 12.0.2-01212.0.3

12.0.2-004 – 12.0.2-00412.0.3

14.5.1-607 – 14.5.1-60714.5.2

14.5.3-033 – 14.5.3-03314.5.4

15.0.1-004 – 15.0.1-00415.0.2

15.2.1-011 – 15.2.1-01115.2.2

14.5.0-673 – 14.5.0-67314.5.1

14.5.0-537 – 14.5.0-53714.5.1

12.0.1-334 – 12.0.1-33412.0.2

14.0.1-503 – 14.0.1-50314.0.2

14.0.1-053 – 14.0.1-05314.0.2

11.8.0-429 – 11.8.0-42911.8.1

14.0.1-040 – 14.0.1-04014.0.2

14.0.1-014 – 14.0.1-01414.0.2

12.5.1-043 – 12.5.1-04312.5.2

15.2.2-009 – 15.2.2-00915.2.3

15.2.3-007 – 15.2.3-00715.2.4

15.2.4-022 – 15.2.4-02215.2.5

15.2.5-011 – 15.2.5-01115.2.6

15.2.5-013 – 15.2.5-01315.2.6

14.6.0-108 – 14.6.0-10814.6.1

Weakness Classification (CWE)

CWE-305

Timeline

Reserved2025-10-08
Published2026-04-15
Modified2026-04-16
EPSS updated2026-04-23

Unpatched — 39 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-20152 is to upgrade to a patched version of Cisco Secure Web Appliance. Cisco has released a fix, though the specific version is not provided in the CVE details. Before upgrading, review Cisco's release notes to ensure compatibility with your existing infrastructure and to understand any potential breaking changes. If an immediate upgrade is not feasible, consider implementing stricter HTTP request validation rules at a proxy or WAF level to filter out potentially malicious requests. Monitor authentication logs for suspicious activity and unusual patterns.

How to fix

Update your Cisco Secure Web Appliance to a corrected version. See the Cisco advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-auth-bypass-6YZkTQhd) for details on corrected versions and upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-20152 — Authentication Bypass in Cisco Secure Web Appliance?

CVE-2026-20152 is a medium-severity vulnerability in Cisco Secure Web Appliance allowing unauthenticated attackers to bypass authentication policies via crafted HTTP requests, potentially granting unauthorized access.

Am I affected by CVE-2026-20152 in Cisco Secure Web Appliance?

You are affected if you are using Cisco Secure Web Appliance versions 11.8.0 through 15.2.5-013. Check your version and upgrade as soon as possible.

How do I fix CVE-2026-20152 in Cisco Secure Web Appliance?

Upgrade to a patched version of Cisco Secure Web Appliance. Consult Cisco's advisory for the specific fixed version and release notes.

Is CVE-2026-20152 being actively exploited?

There is currently no indication of active exploitation, but the vulnerability's nature suggests potential for exploitation.

Where can I find the official Cisco advisory for CVE-2026-20152?

Refer to the official Cisco Security Advisory for CVE-2026-20152 on Cisco's website (search for CVE-2026-20152 on Cisco.com).

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.