Description
Tanium addressed a SQL injection vulnerability in Asset.
Published: 2026-02-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection potentially exposing sensitive data
Action: Apply patch
AI Analysis

Impact

A vulnerable code path in Tanium Asset allows an attacker to inject arbitrary SQL statements into the database. The flaw originates from insufficient input sanitization, permitting malicious characters to alter query logic. Successful exploitation could lead to disclosure of confidential data, modification of records, or deletion of data, impacting the confidentiality, integrity, and availability of information managed by the Asset service.

Affected Systems

Tanium’s Asset product, including versions 1.32.178, 1.33.268, and 1.36.107, is affected. The vulnerability resides within the Asset component used for inventory management across Tanium deployments.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating a moderate risk. EPSS shows an exploitation probability of less than 1%, suggesting that while exploitation is unlikely, the risk remains present. The issue is not listed in CISA’s KEV catalog. Likely attack vectors involve unauthenticated injection via exposed web interfaces or API endpoints, assuming an attacker gains network access to the Asset service.

Generated by OpenCVE AI on April 16, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Tanium software update that resolves the SQL injection flaw; the latest Asset release removes the vulnerable code path.
  • If an immediate update is unavailable, deploy a Web Application Firewall or similar filtering layer to block malformed SQL queries targeting Asset’s endpoints.
  • Restrict the database account used by Asset to the minimum permissions required for its legitimate operations, reducing the impact if injection occurs.

Generated by OpenCVE AI on April 16, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://security.tanium.com/TAN-2026-004 cve-icon cve-icon
History

Mon, 02 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tanium:asset:*:*:*:*:*:*:*:*

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tanium asset
Vendors & Products Tanium asset

Thu, 19 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description Tanium addressed a SQL injection vulnerability in Asset.
Title ASSET-7706
First Time appeared Tanium
Tanium service Asset
Weaknesses CWE-89
CPEs cpe:2.3:a:tanium:service_asset:1.32.178:*:*:*:*:*:*:*
cpe:2.3:a:tanium:service_asset:1.33.268:*:*:*:*:*:*:*
cpe:2.3:a:tanium:service_asset:1.36.107:*:*:*:*:*:*:*
Vendors & Products Tanium
Tanium service Asset
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Tanium Asset Service Asset
cve-icon MITRE

Status: PUBLISHED

Assigner: Tanium

Published:

Updated: 2026-03-02T15:55:43.064Z

Reserved: 2026-02-12T22:26:04.828Z

Link: CVE-2026-2435

cve-icon Vulnrichment

Updated: 2026-03-02T15:55:34.969Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T00:16:18.060

Modified: 2026-02-27T21:53:11.810

Link: CVE-2026-2435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses