CVE-2026-20184: Anyone Can Impersonate Anyone on Cisco Webex

If your company uses Webex with SSO, read this now.

CVE-2026-20184 is a critical authentication bypass in Cisco Webex Services. CVSS score: 9.8. The flaw lets an unauthenticated, remote attacker impersonate any user in a Webex organization.

Any user. Including the CEO. Including the person who handles payroll. Including whoever has access to the board meeting recordings.

The vulnerability exists in how Webex validates SAML certificates during the single sign-on (SSO) authentication handshake. In normal operations, when you log in through your company's identity provider, Webex verifies the authentication token to make sure it's legitimate. Due to improper certificate validation, that verification was broken. An attacker could forge a SAML assertion, present it to Webex, and log in as whoever they wanted.

No password needed. No MFA prompt. No credential theft required. Just a forged token that Webex accepted because it wasn't checking properly.

What an attacker gets.

Think about what lives in your Webex environment:

• Recordings of internal meetings. Strategy discussions. HR conversations. Legal reviews. M&A talks.
• Shared files. Financial reports. Client data. Contracts.
• Chat history. Direct messages between employees. Channels where sensitive topics are discussed candidly because people think it's private.
• Contact lists and org charts. Who reports to whom. Who has what role.

An attacker impersonating an executive could join meetings, download recordings, read messages, and exfiltrate files. They could also send messages as that executive, making this a perfect setup for business email compromise through a different channel.

"Hey, this is [CEO name] on Webex. I need you to process a wire transfer. Details in the chat."

If that message comes from what appears to be the CEO's actual Webex account, how is your employee supposed to know it's fake?

Who's affected.

Only organizations using cloud-based Cisco Webex Services with SSO enabled through Control Hub. If you use Webex without SSO, you're not affected by this specific CVE. On-premises Webex deployments are also not vulnerable.

Cisco patched this on the cloud side, so there's no customer-side patch to apply. But Cisco is recommending that organizations using SSO re-upload their identity provider's SAML certificate to Control Hub as a precaution.

The four other Cisco CVEs from the same week.

CVE-2026-20184 wasn't alone. Cisco dropped patches for three additional critical vulnerabilities in Identity Services Engine (ISE) the same week:

• CVE-2026-20180 and CVE-2026-20186: Vulnerabilities in ISE that could allow attackers to bypass authentication or execute unauthorized actions in enterprise identity and access management systems.
• CVE-2026-20147: Another ISE flaw affecting core authentication functions.

If your company runs Cisco ISE for network access control (a lot of mid-size businesses do), check your patch status immediately.

The pattern you need to see.

Cisco Webex. Microsoft Teams. Zoom. Slack. Google Meet. These collaboration platforms hold some of the most sensitive conversations in your business, and they're all cloud services where security is largely out of your hands.

When a vulnerability like CVE-2026-20184 drops, your security depends on the vendor patching it quickly. In this case, Cisco did. But between the time the vulnerability existed and the time it was patched, any organization with SSO-enabled Webex was theoretically exposed to user impersonation.

You can't control when the vendor patches. What you can control:

Monitor vendor security advisories. Subscribe to Cisco's security advisory RSS feed. Or subscribe to CISA's KEV catalog updates. When a critical CVE drops for a product you use, you need to know about it the same day.

Audit your collaboration platform access. Who has access to your Webex org? Are there old accounts for former employees? Guest accounts that were never cleaned up? API integrations you forgot about? Reduce the attack surface by removing access that shouldn't exist.

Don't put everything in one basket. If your most sensitive conversations, your most confidential files, and your authentication system all flow through one vendor's cloud, a single vulnerability exposes everything. Consider where you store your most sensitive data and whether it should live in a collaboration platform at all.

Log and monitor access. Webex and most collaboration platforms have admin audit logs. Are you reviewing them? If an attacker impersonated a user, the login might show up from an unusual IP or location. But only if someone's looking.

For small businesses using Webex.

If you use Webex with SSO (which usually means you have an identity provider like Azure AD, Okta, or Google Workspace handling authentication), follow Cisco's guidance and re-upload your IdP SAML certificate to Control Hub.

If you use Webex without SSO (just regular username/password login), this specific CVE doesn't apply to you. But take it as a reminder to review who has access to your Webex org and clean up any accounts that shouldn't be there.

And if you're not sure which setup you have, that in itself is a problem worth fixing.

(773) 417-9994 or southsidechisolutions.com