Description
A vulnerability in the browser-based version of Cisco Webex App could have allowed an unauthenticated, remote attacker to redirect users to a malicious webpage. Cisco has addressed this vulnerability in the Cisco Webex App, and no customer action is needed.

This vulnerability existed due to improper input validation of URL parameters in an HTTP request. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to click a crafted URL. A successful exploit could have allowed the attacker to redirect a user to a malicious website.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the browser-based Cisco Webex App arises from inadequate validation of URL parameters in HTTP requests. This flaw allows an attacker to embed a specially crafted link that, when followed by a user, causes the application to redirect to an arbitrary external site. The direct consequence is that a user can be sent to a malicious webpage without their intent, exposing them to phishing attacks or credential harvest sites. The weakness is an improper input validation flaw classified as CWE-601.

Affected Systems

Cisco Webex App is affected. No specific version information is provided in the advisory, but the issue exists in all browser‑based deployments of the application that have not yet incorporated Cisco’s latest update.

Risk and Exploitability

The CVSS score for this vulnerability is 4.3, indicating moderate severity. The EPSS score is below 1%, implying that passive exploitation is unlikely. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote, unauthenticated, and relies on a user clicking a malicious link. The vulnerability requires no privileged access, and can be exploited by simply sending the crafted URL to a victim.

Generated by OpenCVE AI on June 18, 2026 at 18:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure you are using the latest version of the Cisco Webex App, which has resolved this issue and requires no additional customer action.
  • Alert users to verify the destination URLs before clicking any link shared in Webex sessions or messages.
  • Implement web‑filtering or proxy rules that block or flag suspicious redirects originating from the Webex app to protect users from unintended navigation.

Generated by OpenCVE AI on June 18, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Improper Input Validation in Cisco Webex App Enables Unauthenticated URL Redirection

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the browser-based version of Cisco Webex App could have allowed an unauthenticated, remote attacker to redirect users to a malicious webpage. Cisco has addressed this vulnerability in the Cisco Webex App, and no customer action is needed. This vulnerability existed due to improper input validation of URL parameters in an HTTP request. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to click a crafted URL. A successful exploit could have allowed the attacker to redirect a user to a malicious website.
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-17T18:13:35.374Z

Reserved: 2025-10-08T11:59:15.392Z

Link: CVE-2026-20178

cve-icon Vulnrichment

Updated: 2026-06-17T18:13:24.909Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')