{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2435", "assignerOrgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "state": "PUBLISHED", "assignerShortName": "Tanium", "dateReserved": "2026-02-12T22:26:04.828Z", "datePublished": "2026-02-19T23:09:41.110Z", "dateUpdated": "2026-03-02T15:55:43.064Z"}, "containers": {"cna": {"affected": [{"product": "Asset", "vendor": "Tanium", "versions": [{"version": "1.32", "status": "affected", "lessThan": "1.32.179", "versionType": "custom"}, {"version": "1.33", "status": "affected", "lessThan": "1.33.269", "versionType": "custom"}, {"version": "1.36", "status": "affected", "lessThan": "1.36.108", "versionType": "custom"}], "cpes": ["cpe:2.3:a:tanium:service_asset:1.32.178:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:service_asset:1.33.268:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:service_asset:1.36.107:*:*:*:*:*:*:*"]}], "dateAssigned": "2026-02-12T22:26:04.213Z", "datePublic": "2026-02-19T23:09:30.641Z", "descriptions": [{"lang": "en", "value": "Tanium addressed a SQL injection vulnerability in Asset."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "shortName": "Tanium", "dateUpdated": "2026-02-19T23:09:41.110Z"}, "references": [{"name": "TAN-2026-004", "url": "https://security.tanium.com/TAN-2026-004"}], "title": "ASSET-7706"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T15:55:19.435641Z", "id": "CVE-2026-2435", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T15:55:43.064Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2435", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T15:55:19.435641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T15:55:34.969Z"}}], "cna": {"title": "ASSET-7706", "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"cpes": ["cpe:2.3:a:tanium:service_asset:1.32.178:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:service_asset:1.33.268:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:service_asset:1.36.107:*:*:*:*:*:*:*"], "vendor": "Tanium", "product": "Asset", "versions": [{"status": "affected", "version": "1.32", "lessThan": "1.32.179", "versionType": "custom"}, {"status": "affected", "version": "1.33", "lessThan": "1.33.269", "versionType": "custom"}, {"status": "affected", "version": "1.36", "lessThan": "1.36.108", "versionType": "custom"}]}], "datePublic": "2026-02-19T23:09:30.641Z", "references": [{"url": "https://security.tanium.com/TAN-2026-004", "name": "TAN-2026-004"}], "dateAssigned": "2026-02-12T22:26:04.213Z", "descriptions": [{"lang": "en", "value": "Tanium addressed a SQL injection vulnerability in Asset."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "shortName": "Tanium", "dateUpdated": "2026-02-19T23:09:41.110Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2435", "state": "PUBLISHED", "dateUpdated": "2026-03-02T15:55:43.064Z", "dateReserved": "2026-02-12T22:26:04.828Z", "assignerOrgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "datePublished": "2026-02-19T23:09:41.110Z", "assignerShortName": "Tanium"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tanium:asset:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A296269-F775-41DF-9471-EB7C80827D9C", "versionEndExcluding": "1.32.179", "versionStartIncluding": "1.32", "vulnerable": true}, {"criteria": "cpe:2.3:a:tanium:asset:*:*:*:*:*:*:*:*", "matchCriteriaId": "511FD7BF-99C4-4B44-A644-1D09D31CFE47", "versionEndExcluding": "1.33.269", "versionStartIncluding": "1.33", "vulnerable": true}, {"criteria": "cpe:2.3:a:tanium:asset:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E29EB1C-D5C7-4FA9-8BD1-E07845219A49", "versionEndExcluding": "1.36.108", "versionStartIncluding": "1.36", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tanium addressed a SQL injection vulnerability in Asset."}, {"lang": "es", "value": "Tanium abord\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en Asset."}], "id": "CVE-2026-2435", "lastModified": "2026-02-27T21:53:11.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "3938794e-25f5-4123-a1ba-5cbd7f104512", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-20T00:16:18.060", "references": [{"source": "3938794e-25f5-4123-a1ba-5cbd7f104512", "tags": ["Vendor Advisory"], "url": "https://security.tanium.com/TAN-2026-004"}], "sourceIdentifier": "3938794e-25f5-4123-a1ba-5cbd7f104512", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "3938794e-25f5-4123-a1ba-5cbd7f104512", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.32,1.32.179)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.33,1.33.269)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.36,1.36.108)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Asset", "source": "cna", "vendor": "Tanium"}, "product": "asset", "vendor": "tanium"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.32.178"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.33.268"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.36.107"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "service_asset", "vendor": "tanium"}], "analysis": {"en": {"generated_at": "2026-04-16T16:46:58.819960+00:00", "value": {"mitigation_remediation": ["Apply the official Tanium software update that resolves the SQL injection flaw; the latest Asset release removes the vulnerable code path.", "If an immediate update is unavailable, deploy a Web Application Firewall or similar filtering layer to block malformed SQL queries targeting Asset\u2019s endpoints.", "Restrict the database account used by Asset to the minimum permissions required for its legitimate operations, reducing the impact if injection occurs."], "summary": {"action": "Apply patch", "impact": "SQL injection potentially exposing sensitive data"}, "threat_synthesis": {"affected_systems": "Tanium\u2019s Asset product, including versions 1.32.178, 1.33.268, and 1.36.107, is affected. The vulnerability resides within the Asset component used for inventory management across Tanium deployments.", "description_and_impact": "A vulnerable code path in Tanium Asset allows an attacker to inject arbitrary SQL statements into the database. The flaw originates from insufficient input sanitization, permitting malicious characters to alter query logic. Successful exploitation could lead to disclosure of confidential data, modification of records, or deletion of data, impacting the confidentiality, integrity, and availability of information managed by the Asset service.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.3, indicating a moderate risk. EPSS shows an exploitation probability of less than 1%, suggesting that while exploitation is unlikely, the risk remains present. The issue is not listed in CISA\u2019s KEV catalog. Likely attack vectors involve unauthenticated injection via exposed web interfaces or API endpoints, assuming an attacker gains network access to the Asset service."}}}}, "created": "2026-02-20T09:53:29.812631+00:00", "title": "SQL Injection in Tanium Asset", "updated": "2026-04-16T17:00:09.353346+00:00", "vendors": ["tanium", "tanium$PRODUCT$asset", "tanium$PRODUCT$service_asset"]}