CRITICALCVE-2026-20184CVSS 9.8

CVE-2026-20184: Webex SSO Impersonation Vulnerability (CRITICAL)

Platform

cisco

Component

webex-meetings

Fixed in

39.7.8

39.9.1

40.4.11

39.6.1

40.6.3

39.8.3

39.8.5

40.1.1

39.11.1

39.7.5

39.9.2

40.4.1

40.6.1

39.7.1

39.8.1

39.8.4

40.2.1

39.10.1

42.6.1

42.7.1

42.8.1

42.9.1

42.10.1

42.11.1

42.12.1

43.1.1

43.2.1

43.3.1

43.4.1

43.4.2

43.4.3

43.5.1

43.6.1

43.6.2

43.7.1

43.8.1

43.9.1

43.10.1

43.11.1

43.12.1

44.1.1

44.2.1

44.3.1

44.4.1

44.5.1

44.6.1

44.7.1

44.8.1

44.9.1

44.10.1

44.11.1

44.12.1

45.1.1

45.2.1

45.3.1

45.4.1

AI Confidence: highNVDEPSS 0.1%Reviewed: Apr 2026

View on NVD

Save

CVE-2026-20184 is a critical vulnerability affecting the integration of single sign-on (SSO) with Control Hub in Cisco Webex Meetings. A remote, unauthenticated attacker could exploit this flaw to impersonate any user within the service, potentially leading to significant data breaches and service disruption. This vulnerability impacts versions 39.6 through 45.4 of Webex Meetings, and Cisco has released a patch to address the issue.

Impact and Attack Scenarios

CVE-2026-20184 in Cisco Webex Meetings represents a critical risk due to its potential for impersonation. An unauthenticated, remote attacker could exploit this flaw in the single sign-on (SSO) integration with Control Hub to impersonate any user within the service. The CVSS score is rated 9.8, indicating a severe impact. The root cause is improper certificate validation, allowing an attacker to present a crafted token to gain unauthorized access. The lack of a fix available exacerbates the situation, leaving organizations vulnerable until alternative mitigation measures are implemented. The absence of an official Cisco KEV (Knowledge Base Entry Vulnerability) further hinders risk assessment and detailed information availability.

Exploitation Context

An attacker could exploit this vulnerability by connecting to a Webex service endpoint and providing a specially crafted token. The deficient certificate validation allows this fraudulent token to be accepted, granting the attacker access to another user's account. This access could be used to steal confidential information, disrupt meetings, or even compromise the entire organization's security. The remote and unauthenticated nature of the exploitation makes it particularly dangerous, as an attacker could operate from any location without needing initial credentials. The lack of a KEV makes it difficult to fully understand the exploitation techniques, but the vulnerability description suggests an attack based on token manipulation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports2 threat reports

EPSS

0.07% (21% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

CVSS Vector

Affected Software

Componentwebex-meetings

VendorCisco

Affected rangeFixed in

39.7.7 – 39.7.739.7.8

39.9 – 39.939.9.1

40.4.10 – 40.4.1040.4.11

39.6 – 39.639.6.1

40.6.2 – 40.6.240.6.3

39.8.2 – 39.8.239.8.3

39.8.4 – 39.8.439.8.5

40.1 – 40.140.1.1

39.11 – 39.1139.11.1

39.7.4 – 39.7.439.7.5

39.9.1 – 39.9.139.9.2

40.4 – 40.440.4.1

40.6 – 40.640.6.1

39.7 – 39.739.7.1

39.8 – 39.839.8.1

39.8.3 – 39.8.339.8.4

40.2 – 40.240.2.1

39.10 – 39.1039.10.1

42.6 – 42.642.6.1

42.7 – 42.742.7.1

42.8 – 42.842.8.1

42.9 – 42.942.9.1

42.10 – 42.1042.10.1

42.11 – 42.1142.11.1

42.12 – 42.1242.12.1

43.1 – 43.143.1.1

43.2 – 43.243.2.1

43.3 – 43.343.3.1

43.4 – 43.443.4.1

43.4.1 – 43.4.143.4.2

43.4.2 – 43.4.243.4.3

43.5.0 – 43.5.043.5.1

43.6.0 – 43.6.043.6.1

43.6.1 – 43.6.143.6.2

43.7 – 43.743.7.1

43.8 – 43.843.8.1

43.9 – 43.943.9.1

43.10 – 43.1043.10.1

43.11 – 43.1143.11.1

43.12 – 43.1243.12.1

44.1 – 44.144.1.1

44.2 – 44.244.2.1

44.3 – 44.344.3.1

44.4 – 44.444.4.1

44.5 – 44.544.5.1

44.6 – 44.644.6.1

44.7 – 44.744.7.1

44.8 – 44.844.8.1

44.9 – 44.944.9.1

44.10 – 44.1044.10.1

44.11 – 44.1144.11.1

44.12 – 44.1244.12.1

45.1 – 45.145.1.1

45.2 – 45.245.2.1

45.3 – 45.345.3.1

45.4 – 45.445.4.1

Weakness Classification (CWE)

CWE-295

Timeline

Reserved2025-10-08
Published2026-04-15
Modified2026-04-16
EPSS updated2026-04-23

Unpatched — 39 days since disclosure

Mitigation and Workarounds

Given that Cisco has not provided a direct fix for CVE-2026-20184, organizations using Cisco Webex Meetings should implement immediate mitigation measures. We strongly recommend reviewing and strengthening SSO security policies, including implementing multi-factor authentication (MFA) for all users. Furthermore, closely monitor Webex audit logs for suspicious activity or unauthorized access attempts. Consider network segmentation to limit access to Control Hub services. While there is no official solution, implementing these measures can significantly reduce the risk of exploitation. Stay updated on any Cisco announcements and seek alternative solutions or unofficial patches with caution.

How to fix

Actualice Cisco Webex Meetings a una versión corregida para mitigar la vulnerabilidad de validación de certificados. Consulte la advisory de Cisco (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL) para obtener instrucciones específicas y versiones corregidas.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-20184 in Cisco Webex Meetings?

It indicates a critical vulnerability with a high potential for exploitation and a significant impact.

Am I affected by CVE-2026-20184 in Cisco Webex Meetings?

Cisco has not yet released a fix for this vulnerability. We recommend monitoring Cisco updates.

How do I fix CVE-2026-20184 in Cisco Webex Meetings?

SSO (Single Sign-On) allows users to access multiple applications with a single set of credentials. This vulnerability affects the security of this process.

Is CVE-2026-20184 being actively exploited?

Control Hub is a centralized management platform for Cisco Webex Services.

Where can I find the official Cisco Webex Meetings advisory for CVE-2026-20184?

Review your Webex SSO configuration and monitor audit logs for suspicious activity.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.