Cisco Catalyst Center Vulnerability Allows Unauthenticated File Reads
A path-traversal vulnerability in Cisco Catalyst Center (CVE-2026-20191) allows unauthenticated remote attackers to read arbitrary files, posing a significant confidentiality risk.

Cisco has disclosed a critical security flaw affecting its Catalyst Center platform, a widely used solution for centralized network management and automation. The vulnerability, identified as CVE-2026-20191, is a path-traversal weakness that allows unauthenticated remote attackers to read arbitrary files from affected systems. With a CVSS score of 7.5, this high-severity issue poses a significant risk to the confidentiality of sensitive data.
The root cause of the vulnerability lies in insufficient validation of user-supplied input within the Catalyst Center interface. Attackers can exploit this by sending specially crafted HTTP requests to a vulnerable instance. Successful exploitation grants them access to sensitive files stored within a restricted container environment on the affected device. This could include configuration files, credentials, or other system data that could be leveraged for further malicious activities or lateral movement within a network.
Cisco Catalyst Center, formerly known as Cisco DNA Center, is deployed in numerous enterprise environments, managing everything from network access to policy enforcement. The vulnerability impacts both hardware appliances and virtual deployments, including those running on cloud platforms like AWS and Microsoft Azure, as well as VMware ESXi. The flaw is present regardless of the specific configuration of the deployed instance.
While the vulnerability does not permit attackers to modify data or cause service disruptions, the ability to exfiltrate arbitrary files presents a substantial confidentiality threat. Security professionals warn that the information gained could be instrumental in planning more sophisticated attacks or gaining deeper access to an organization's infrastructure.
Cisco has stated that there are currently no available workarounds to mitigate this vulnerability. Therefore, immediate patching is strongly recommended. The issue is resolved in Catalyst Center versions 3.1.6 GSMU200 and VMware ESXi 2.3.7.11-VA GSMU100 (for 2.3.7) and 3.1.6 GSMU200 (for 3.1). Versions earlier than 3.1 are not affected.
At the time of disclosure, Cisco reported no evidence of active exploitation in the wild, nor were any public proof-of-concept exploits or active attack campaigns identified. The vulnerability was reportedly discovered internally by Cisco's Technical Assistance Center (TAC) team during the investigation of a support case.
Despite the lack of observed exploitation, the ease with which this vulnerability can be exploited—requiring only simple HTTP request crafting and no authentication—lowers the barrier for potential attackers. Organizations with internet-facing Catalyst Center instances or improperly segmented management interfaces are particularly vulnerable and should prioritize applying the available patches.
To further enhance security, organizations are advised to restrict external access to their Catalyst Center management interfaces, implement robust log monitoring for suspicious HTTP requests targeting file paths, and conduct regular security audits. Proper network segmentation also plays a crucial role in limiting the potential impact of such vulnerabilities.