CVE-2026-20184: Cisco Webex SSO Certificate Validation Bypass Enables User Impersonation

What This Vulnerability Is

A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.

The National Vulnerability Database assigned this issue a CVSS base score of 9.8, placing it in the CRITICAL category. The identifier CVE-2026-20184 was published on 2026-04-15T17:17:03.677.

CVE Identifier

CVE-2026-20184

CVSS Base Score

9.8 / 10.0 (CRITICAL)

Published

2026-04-15T17:17:03.677

NVD Entry

https://nvd.nist.gov/vuln/detail/CVE-2026-20184

MITRE Entry

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20184

Who Is Affected

Based on the vulnerability data published by NVD, the following products and configurations are identified as affected:

• Specific affected products are listed in the NVD entry. Review the CPE data for your stack.

If your organization uses any of the above, this vulnerability applies to your environment. Even if your specific version is not listed, review the full CPE match data to confirm.

Detection: Sigma Rule

The following Sigma rule detects anomalous SSO authentication patterns consistent with CVE-2026-20184 exploitation against Cisco Webex Control Hub.

title: CVE-2026-20184 - Cisco Webex SSO Certificate Validation Bypass
id: 9a4b3c2d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects authentication events with anomalous certificate attributes or token patterns indicating potential exploitation of Cisco Webex SSO certificate validation bypass
author: Sherlock Forensics
date: 2026/04/20
references:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL
    - https://nvd.nist.gov/vuln/detail/CVE-2026-20184
logsource:
    product: cisco
    service: webex
    category: authentication
detection:
    selection_sso:
        EventType: 'SSO_AUTH'
        AuthMethod: 'SAML'
    suspicious_cert:
        - CertificateIssuer|contains:
            - 'self-signed'
            - 'unknown'
        - CertificateValidation: 'FAILED'
        - TokenSource: 'EXTERNAL'
    suspicious_impersonation:
        - UserAgent|contains: 'curl'
        - UserAgent|contains: 'python-requests'
        - UserAgent|contains: 'Go-http-client'
        - SourceIP|cidr:
            - '10.0.0.0/8'
    condition: selection_sso and (suspicious_cert or suspicious_impersonation)
falsepositives:
    - Legitimate SSO integrations with misconfigured certificates
    - Development and testing environments
level: critical
tags:
    - attack.initial_access
    - attack.t1078
    - attack.t1199
    - cve.2026.20184

Detection: Snort/Suricata IDS Rules

These network-level rules detect crafted SAML token submissions targeting the Webex SSO endpoint.

# Snort/Suricata rules for CVE-2026-20184
# Detects crafted SSO token submission to Cisco Webex

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
    msg:"SHERLOCK CVE-2026-20184 Cisco Webex Crafted SSO Token";
    flow:established,to_server;
    content:"POST"; http_method;
    content:"/idb/token"; http_uri;
    content:"SAMLResponse"; http_client_body;
    pcre:"/(?:X509Certificate|SignatureValue)[^<]{500,}/i";
    classtype:web-application-attack;
    sid:2026184001; rev:1;
    reference:cve,2026-20184;
    metadata:affected_product Cisco_Webex, severity critical;
)

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
    msg:"SHERLOCK CVE-2026-20184 Webex SSO Impersonation Attempt";
    flow:established,to_server;
    content:"POST"; http_method;
    content:"/idb/token"; http_uri;
    content:"NameID"; http_client_body;
    content:"X509Certificate"; http_client_body;
    content:"NotBefore"; http_client_body;
    pcre:"/NameID[^<]*@[^<]*<.*X509Certificate/si";
    classtype:web-application-attack;
    sid:2026184002; rev:1;
    reference:cve,2026-20184;
    metadata:affected_product Cisco_Webex, severity critical;
)

alert tls $EXTERNAL_NET any -> $HOME_NET 443 (
    msg:"SHERLOCK CVE-2026-20184 Self-Signed Cert in Webex SSO Flow";
    flow:established,to_server;
    tls.cert_issuer; content:"CN="; content:!"DigiCert"; content:!"GlobalSign";
    content:!"Let's Encrypt"; content:!"Comodo"; content:!"GeoTrust";
    tls.cert_subject; content:"webex";
    classtype:web-application-attack;
    sid:2026184003; rev:1;
    reference:cve,2026-20184;
    metadata:affected_product Cisco_Webex, severity high;
)

Illustrative Exploit Pattern

ILLUSTRATIVE ONLY. This is a simplified representation of the attack pattern for detection engineering purposes. This is not a working exploit.

The attack exploits improper certificate validation in the Webex SSO integration with Control Hub. An attacker crafts a SAML assertion with a self-signed certificate that Webex fails to properly validate:

<!-- ILLUSTRATIVE - NOT A WORKING EXPLOIT -->
<!-- Shows the SAML structure for detection signature development -->

<!-- Step 1: Attacker crafts a SAML Response with forged assertion -->
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                Destination="https://idbroker.webex.com/idb/token">
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    <!-- Forged identity: impersonating target user -->
    <saml:Subject>
      <saml:NameID>admin@target-org.com</saml:NameID>
    </saml:Subject>

    <!-- Self-signed certificate used for signature -->
    <ds:Signature>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
            [ATTACKER-CONTROLLED SELF-SIGNED CERTIFICATE]
            [Webex fails to validate this against trusted CA list]
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>

    <!-- Conditions set to be valid at time of attack -->
    <saml:Conditions NotBefore="2026-04-16T00:00:00Z"
                     NotOnOrAfter="2026-04-17T00:00:00Z">
    </saml:Conditions>

  </saml:Assertion>
</samlp:Response>

<!-- Step 2: POST the forged assertion to the Webex token endpoint -->
POST /idb/token HTTP/1.1
Host: idbroker.webex.com
Content-Type: application/x-www-form-urlencoded

SAMLResponse=[base64-encoded-forged-assertion]

<!-- Step 3: Webex accepts the assertion without proper cert validation -->
<!-- Step 4: Attacker receives valid session token for impersonated user -->

What to Look for in Your Logs

Cisco Webex Admin Audit Logs

Check Control Hub admin logs and Webex service logs for signs of exploitation:

# Export Webex admin audit logs from Control Hub:
# admin.webex.com > Troubleshooting > Logs > Audit Logs

# Look for these patterns in exported audit logs:

# 1. SSO logins from unusual IP ranges
grep -i "sso.*login\|saml.*auth" webex_audit_*.csv | \
  awk -F',' '{print $4, $6, $8}' | sort | uniq -c | sort -rn

# 2. Multiple users authenticating from the same source IP in a short window
# (indicates token forging with different NameID values)
grep -i "login_success" webex_audit_*.csv | \
  awk -F',' '{print $6}' | sort | uniq -c | sort -rn | head -20

# 3. Authentication events with certificate warnings
grep -i "cert.*warn\|cert.*fail\|invalid.*cert\|self.signed" \
  webex_audit_*.csv

Identity Provider (IdP) Logs

Cross-reference your IdP logs with Webex authentication events:

# Compare IdP-initiated SSO events against Webex login events
# If Webex shows a login that your IdP did NOT initiate, that is a red flag

# For Okta:
# System Log > filter: eventType eq "user.authentication.sso"
# AND target.displayName co "Webex"

# For Azure AD:
# Azure Portal > Azure AD > Sign-in logs
# Filter: Application = "Cisco Webex"
# Look for: Sign-ins NOT originating from your Azure AD

# For on-prem ADFS:
Get-WinEvent -FilterHashtable @{
  LogName='Security'; Id=4769
} | Where-Object {
  $_.Message -match 'webex' -and $_.Message -match 'certificate'
} | Format-List TimeCreated, Message

Triage Commands

Determine your exposure and check for signs of exploitation:

# 1. Check if your org uses SSO with Webex Control Hub
#    Login to admin.webex.com > Organization Settings > Authentication
#    If SSO is enabled, you may be affected

# 2. Export recent authentication events via Webex API
curl -s -H "Authorization: Bearer $WEBEX_ADMIN_TOKEN" \
  "https://webexapis.com/v1/adminAudit/events?from=2026-04-01T00:00:00Z&to=2026-04-20T23:59:59Z&resource=logins" \
  | python3 -m json.tool | grep -i "sso\|saml\|cert"

# 3. Check for users added or modified without admin action
curl -s -H "Authorization: Bearer $WEBEX_ADMIN_TOKEN" \
  "https://webexapis.com/v1/adminAudit/events?from=2026-04-01T00:00:00Z&resource=users&action=created" \
  | python3 -m json.tool

# 4. Review Webex SSO certificate configuration
#    admin.webex.com > Organization Settings > Authentication
#    Verify the certificate matches your IdP's signing certificate
#    A changed or unknown certificate is a critical finding

# 5. Cross-check meeting access and message history
#    If an attacker impersonated a user, check for:
#    - Meetings joined by the impersonated identity
#    - Messages sent from the impersonated identity
#    - Files accessed or downloaded
#    - Spaces joined or created

IOC Hunt List

Use these indicators of compromise to determine whether CVE-2026-20184 has been exploited in your environment:

Authentication Indicators

• SSO login events where the authentication source does not match your organization's IdP
• Multiple user accounts authenticated from the same IP address in rapid succession
• Login events for users during off-hours or from geographic locations inconsistent with their normal pattern
• SAML assertions with certificate issuers not matching your IdP's configured signing certificate
• Authentication events with self-signed or unknown certificate attributes

Post-Exploitation Indicators

• Webex meetings created or joined by accounts that were simultaneously logged in elsewhere
• Messages sent from user accounts during periods the real user was offline
• New Webex spaces created with external participants immediately after SSO authentication
• Bulk file downloads or exports from Webex spaces after anomalous login events
• Administrative changes (user additions, role modifications) not initiated by known admins

Network Indicators

• POST requests to idbroker.webex.com/idb/token from non-IdP source IPs
• TLS connections to Webex endpoints presenting self-signed or untrusted certificates
• SAML assertions with anomalously large payloads (may indicate certificate stuffing)
• Connections from known anonymization services (VPNs, Tor) to Webex SSO endpoints

What to Do About It

Here is what we recommend, in order of priority:

1. Check your exposure. Determine whether the affected software or component is present in your environment. Asset inventories and software composition analysis (SCA) tools are the fastest route.
2. Apply the patch. If a vendor patch or updated version is available, apply it. Check the references below for vendor advisories.
3. Mitigate if patching is not immediate. If you cannot patch right now, evaluate whether network segmentation, access control changes or configuration adjustments reduce the attack surface for this specific vulnerability.
4. Monitor for exploitation. Check whether proof-of-concept exploit code exists. The CISA Known Exploited Vulnerabilities catalog tracks actively exploited CVEs.
5. Document your response. Record what you checked, when you patched and what residual risk remains. This matters for compliance and for incident response if this vulnerability is exploited later.

Why This Matters for Companies Without Security Teams

A CVSS score of 9.8 means this vulnerability is straightforward to exploit, likely to cause significant damage or both. For startups and small companies operating without a dedicated security team, vulnerabilities at this severity level represent real operational risk rather than theoretical concern.

The challenge is not awareness. Vulnerability databases are public. The challenge is triage: understanding whether a given CVE affects your specific stack and knowing what to do about it before an attacker does. If you lack the internal capacity to perform that assessment, an external review of your exposure is a concrete next step.

Sherlock Forensics provides vulnerability assessment and penetration testing for organizations that need to understand their attack surface without building a full internal security function.

References and Further Reading

• NVD: CVE-2026-20184
• MITRE: CVE-2026-20184
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL
• CISA Known Exploited Vulnerabilities Catalog