{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2605", "assignerOrgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "state": "PUBLISHED", "assignerShortName": "Tanium", "dateReserved": "2026-02-16T21:37:15.555Z", "datePublished": "2026-02-19T23:10:02.867Z", "dateUpdated": "2026-03-02T15:51:41.710Z"}, "containers": {"cna": {"affected": [{"product": "TanOS", "vendor": "Tanium", "versions": [{"version": "1.8.4", "status": "affected", "lessThan": "1.8.4.0249", "versionType": "custom"}, {"version": "1.8.5", "status": "affected", "lessThan": "1.8.5.0282", "versionType": "custom"}, {"version": "1.8.6", "status": "affected", "lessThan": "1.8.6.0150", "versionType": "custom"}], "cpes": ["cpe:2.3:a:tanium:tanos:1.8.4.0249:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:tanos:1.8.5.0282:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:tanos:1.8.6.0150:*:*:*:*:*:*:*"]}], "dateAssigned": "2026-02-16T21:37:14.785Z", "datePublic": "2026-02-19T23:09:49.159Z", "descriptions": [{"lang": "en", "value": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "shortName": "Tanium", "dateUpdated": "2026-02-19T23:13:38.465Z"}, "references": [{"name": "TAN-2026-006", "url": "https://security.tanium.com/TAN-2026-006"}], "title": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS."}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T15:51:21.997907Z", "id": "CVE-2026-2605", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T15:51:41.710Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T15:51:21.997907Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T15:51:28.771Z"}}], "cna": {"title": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS.", "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"cpes": ["cpe:2.3:a:tanium:tanos:1.8.4.0249:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:tanos:1.8.5.0282:*:*:*:*:*:*:*", "cpe:2.3:a:tanium:tanos:1.8.6.0150:*:*:*:*:*:*:*"], "vendor": "Tanium", "product": "TanOS", "versions": [{"status": "affected", "version": "1.8.4", "lessThan": "1.8.4.0249", "versionType": "custom"}, {"status": "affected", "version": "1.8.5", "lessThan": "1.8.5.0282", "versionType": "custom"}, {"status": "affected", "version": "1.8.6", "lessThan": "1.8.6.0150", "versionType": "custom"}]}], "datePublic": "2026-02-19T23:09:49.159Z", "references": [{"url": "https://security.tanium.com/TAN-2026-006", "name": "TAN-2026-006"}], "dateAssigned": "2026-02-16T21:37:14.785Z", "descriptions": [{"lang": "en", "value": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "shortName": "Tanium", "dateUpdated": "2026-02-19T23:13:38.465Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2605", "state": "PUBLISHED", "dateUpdated": "2026-03-02T15:51:41.710Z", "dateReserved": "2026-02-16T21:37:15.555Z", "assignerOrgId": "3938794e-25f5-4123-a1ba-5cbd7f104512", "datePublished": "2026-02-19T23:10:02.867Z", "assignerShortName": "Tanium"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tanium:tanos:*:*:*:*:*:*:*:*", "matchCriteriaId": "341263D2-D015-498F-A717-729B8DC8D93F", "versionEndExcluding": "1.8.4.0249", "versionStartIncluding": "1.8.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:tanium:tanos:*:*:*:*:*:*:*:*", "matchCriteriaId": "47E0A12E-244A-43B4-A25F-FFC7100066E6", "versionEndExcluding": "1.8.5.0282", "versionStartIncluding": "1.8.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:tanium:tanos:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACA62C74-B541-4CD2-847E-D9C11422862A", "versionEndIncluding": "1.8.6.0150", "versionStartIncluding": "1.8.6\\*", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS."}], "id": "CVE-2026-2605", "lastModified": "2026-02-20T19:33:36.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "3938794e-25f5-4123-a1ba-5cbd7f104512", "type": "Secondary"}]}, "published": "2026-02-20T00:16:18.200", "references": [{"source": "3938794e-25f5-4123-a1ba-5cbd7f104512", "tags": ["Vendor Advisory"], "url": "https://security.tanium.com/TAN-2026-006"}], "sourceIdentifier": "3938794e-25f5-4123-a1ba-5cbd7f104512", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "3938794e-25f5-4123-a1ba-5cbd7f104512", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.8.4,1.8.4.0249)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.8.5,1.8.5.0282)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.8.6,1.8.6.0150)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "TanOS", "source": "cna", "vendor": "Tanium"}, "product": "tanos", "vendor": "tanium"}], "analysis": {"en": {"generated_at": "2026-04-18T11:39:28.679738+00:00", "value": {"mitigation_remediation": ["Apply the Tanium security patch or upgrade to a non\u2011affected TanOS version as detailed in Tanium\u2019s advisory (https://security.tanium.com/TAN-2026-006).", "Modify logging settings to prevent sensitive data from being recorded, following the vendor\u2019s log sanitization guidance.", "Enable log rotation and enforce strict access controls on log files to reduce the window of exposure for any logged sensitive information."], "summary": {"action": "Patch", "impact": "Sensitive Data Exposure via logs"}, "threat_synthesis": {"affected_systems": "Affected systems are Tanium TanOS versions 1.8.4.0249, 1.8.5.0282, and 1.8.6.0150.", "description_and_impact": "The vulnerability enables the insertion of sensitive information into log files, which can lead to the disclosure of confidential data if the logs are accessed by unauthorized parties. It is classified as an information disclosure flaw consistent with CWE-532. The impact is limited to the potential exposure of whatever data is written to the logs at the time of the incident.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. No explicit attack vector is disclosed; the risk assessment assumes that the attacker would need sufficient access to alter the logging configuration or trigger a condition that logs the sensitive data."}}}}, "created": "2026-02-20T09:53:28.163309+00:00", "updated": "2026-04-18T11:45:44.596248+00:00", "vendors": ["tanium", "tanium$PRODUCT$tanos"]}