Cisco Catalyst Center CVE-2026-20191: unauth arbitrary file read
Cisco advisory cisco-sa-catc-file-read-wLH2vf8X patches CVE-2026-20191, a CVSS 7.5 pre-auth path traversal in Catalyst Center. Fixed in 3.1.6 GSMU200 and 2.3.7.11-VA GSMU100. No workaround.
Cisco published advisory cisco-sa-catc-file-read-wLH2vf8X covering CVE-2026-20191, a CVSS 7.5 path traversal in Cisco Catalyst Center (the platform formerly branded Cisco DNA Center). An unauthenticated remote attacker can send a crafted HTTP request and read arbitrary files out of the restricted container that services the Catalyst Center web interface. No workaround exists — Cisco says the only mitigation is upgrading.
What the bug is
The class is CWE-22 — improper limitation of a pathname to a restricted directory. The Catalyst Center web front-end fails to validate a user-supplied component of an HTTP request, and directory-traversal sequences let an unauthenticated caller escape the intended file scope and read files inside the container that serves the interface. Per Cisco's advisory summary carried at SystemTek and Cybersecurity News, what's reachable is limited to files inside that container's file system, not the full appliance — but that container holds configuration state, tokens, and application data, and any file the container process can read, the attacker can too.
Cisco has not published the specific request pattern. There is no public proof-of-concept at the time of the advisory.
Affected versions
Per the advisory and confirmed across secondary coverage:
- Cisco Catalyst Center 2.3.7.x — affected before 2.3.7.11-VA GSMU100.
- Cisco Catalyst Center 3.1.x — affected before 3.1.6 GSMU200.
Cisco states this covers both hardware appliances and virtual deployments (VMware ESXi, AWS, Azure). Deployments on the 2.3.7 branch move to 2.3.7.11-VA GSMU100; deployments on the 3.1 branch move to 3.1.6 GSMU200. Cisco lists no workaround and no configuration-level mitigation — the patch is the fix.
Exploitation status
Per the advisory, the Cisco PSIRT is not aware of any public announcements or malicious use of this vulnerability at publication. No public PoC has surfaced. That means the operational window is the one Cisco just opened by describing the bug class and the affected surface: attackers with access to diffing tools and Catalyst Center images now have the anchor points needed to reproduce.
Catalyst Center is not usually internet-exposed by design — it's a management platform that lives on the ops network — but internet-reachable instances do exist, and internal-only exposure is not a mitigation against an authenticated internal attacker or a foothold that reaches the ops VLAN. Historical scanning queries for Catalyst Center / DNA Center on Shodan look for the fingerprint on the web UI:
http.title:"Cisco DNA Center"
http.title:"Cisco Catalyst Center"
These aren't advisory-published queries; they're the same fingerprint anyone triaging exposure has used against the platform since the DNA-to-Catalyst rebrand.
Action checklist
- Upgrade to the fixed builds now. 2.3.7.x branch → 2.3.7.11-VA GSMU100. 3.1.x branch → 3.1.6 GSMU200. Cisco ships no workaround; there is nothing to toggle, only the version bump.
- If the upgrade slips your maintenance window, isolate the management-plane interface. Restrict inbound HTTP/HTTPS to the Catalyst Center web UI to a narrow list of jump-host source IPs at the network layer. This does not fix the bug, but it shrinks the reachable population while you schedule.
- Audit for prior exposure of files the container process could read. Application credentials, API tokens, SNMP community strings, TACACS keys, integration secrets, and any material stored inside the Catalyst Center configuration surface should be assumed readable retroactively if the appliance was reachable from an untrusted network before patching. Rotate the ones that matter — treat this like a token-leak incident, not a code-execution incident.
- Check external exposure. Any Catalyst Center instance with a public HTTP/HTTPS interface should not have one. This has been true since the rebrand; CVE-2026-20191 raises the cost of forgetting it.
- Log-review focus: anomalous unauthenticated HTTP requests to Catalyst Center paths, particularly requests carrying
..sequences or URL-encoded traversal (%2e%2e%2f,%252e%252e%252f). Cisco has not published a definitive detection signature; grep the reverse-proxy or WAF logs in front of the appliance for traversal patterns is the workable interim.
Context
CVE-2026-20191 is the third unauthenticated file-touch primitive Cisco has shipped an advisory for on its network-management surface in 2026. CVE-2026-20245, a Catalyst SD-WAN Manager arbitrary write, was disclosed as a zero-day in May and used to plant webshells; CVE-2026-20262 followed in June and went straight into CISA KEV; CVE-2026-20230 exercised the same shape against Cisco Unified CM. The current advisory is the read-only cousin — arbitrary file read rather than write — but the exposure profile is identical: a widely-deployed Cisco management appliance with an unauthenticated web surface that touches user-supplied path input without validation.
The pattern for defenders is the same each time: Cisco management platforms should not be reachable outside the ops network, and the management VLAN should not be reachable from user endpoints. When neither is true — and audits keep finding that it isn't — a CVSS 7.5 arbitrary read on the management console is enough to hand an attacker the credentials and integration tokens that make the next hop trivial.