Cisco Webex flaw could let remote attackers impersonate any user in affected SSO setups

Cisco has disclosed a critical Webex Services vulnerability that could have let an unauthenticated remote attacker impersonate any user in affected environments. The flaw, tracked as CVE-2026-20184, carries a CVSS score of 9.8 and affects organizations that use single sign-on integration with Webex Control Hub.

The issue comes from improper certificate validation in the SSO flow. Cisco says an attacker could have connected to a vulnerable service endpoint and supplied a crafted token, which the service could accept as valid, opening the door to unauthorized access as a legitimate user.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

That makes this more than a routine bug. In organizations that rely on Webex for meetings, messaging, and calling, successful impersonation could expose internal chats, meeting content, and other sensitive collaboration data. This risk assessment is an inference based on Cisco’s description of user impersonation within Webex Services.

Why this Webex bug matters

Cisco’s advisory says the flaw affects the integration of SSO with Control Hub, not every Webex deployment in the same way. The vulnerable path sits in how Webex validated certificates used during SSO authentication, which is why organizations using identity provider integrations need to pay special attention.

The company has already addressed the issue on the backend of its cloud service, but that is not the whole fix. Cisco says affected customers still need to upload a new SAML certificate for their identity provider in Webex Control Hub to fully remediate the problem and avoid service disruption.

Cisco also says there are no workarounds. That leaves administrators with one real path forward: update the SAML certificate in Control Hub and confirm the organization’s SSO setup matches Cisco’s updated guidance.

What Cisco says about exploitation

So far, Cisco says it has not seen evidence of public exploitation. The company’s Product Security Incident Response Team said it was not aware of public announcements or malicious use in the wild at the time the advisory went live.

Cisco discovered the vulnerability during internal security testing, which means this was not disclosed as an already active zero-day. Even so, the 9.8 severity score and the ability to impersonate any user make this a high-priority issue for organizations that use SSO with Webex.

The bug is cataloged under CWE-295, which covers improper certificate validation. In practice, that points to a trust failure in the authentication chain, where the system did not verify certificates as strictly as it should have.

Cisco Webex CVE-2026-20184 at a glance

The table above reflects Cisco’s advisory and the NVD entry for the flaw.

What admins should do now

• Review whether your Webex organization uses SSO with Control Hub.
• Upload a new identity provider SAML certificate in Webex Control Hub, as Cisco instructs.
• Test SSO after the update to avoid authentication failures or service interruptions. This follows from Cisco’s note that manual customer action is required to complete remediation.
• Treat this as urgent even without confirmed exploitation, because the flaw could allow full user impersonation.

FAQ