Description
An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.
Published: 2026-02-23
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via IDOR
Action: Patch
AI Analysis

Impact

An indirect object reference flaw allows an authenticated remote attacker to manipulate the 'owner' parameter in Tenable Security Center. This can elevate the attacker's privileges, granting access to resources beyond their authorized scope. The weakness aligns with CWE‑639, indicating that access controls do not correctly validate ownership of referenced objects.

Affected Systems

Tenable Security Center, all releases prior to version 6.8.0 are affected. The product is identified as tenable:security_center in the CPE feed. No precise version list is provided, but the public advisory states that the fix is included in the 6.8.0 release.

Risk and Exploitability

The vulnerability has a CVSS score of 2.1, reflecting a low base severity, and an EPSS score of less than 1%, indicating that exploitation is expected to be rare. The flaw is not listed in the KEV catalog. The attack requires an authenticated session, suggesting the likely vector is a remote attacker who has obtained legitimate credentials. No additional exploitation requirements are stated, so the risk remains limited but the ability to raise privileges renders it a potentially critical concern for environments where privilege separation is essential.

Generated by OpenCVE AI on April 18, 2026 at 11:03 UTC.

Remediation

Vendor Solution

Tenable has released Security Center 6.8.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: https://www.tenable.com/downloads/security-center Note: Patches that include fixes for Apache, PHP and Libcurl were recently released ( https://www.tenable.com/security/tns-2026-06) . Tenable Security Center 6.8.0 includes all of these fixes. Please refer to the Tenable SC Release Notes https://docs.tenable.com/release-notes/Content/security-center/2026.htm  for more information.

OpenCVE Recommended Actions

  • Upgrade to Tenable Security Center version 6.8.0 or newer, which incorporates the fix for this IDOR issue. The patch can be downloaded from the Tenable Downloads Portal.
  • Apply the update for Apache, PHP, and libcurl that accompanies the Security Center 6.8.0 release, following the guidance in the Tenable SC Release Notes.
  • Modify privilege and role configurations to ensure that only authorized users can alter the 'owner' parameter, enforcing least privilege and verifying access control policies.

Generated by OpenCVE AI on April 18, 2026 at 11:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Description An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.
Title Indirect Object Reference (IDOR) in Security Center
First Time appeared Tenable
Tenable security Center
Weaknesses CWE-639
CPEs cpe:2.3:a:tenable:security_center:*:*:*:*:*:*:*:*
Vendors & Products Tenable
Tenable security Center
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenable Security Center
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-02-26T14:44:10.953Z

Reserved: 2026-02-18T15:05:03.676Z

Link: CVE-2026-2697

cve-icon Vulnrichment

Updated: 2026-02-23T16:03:56.807Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T16:29:37.323

Modified: 2026-02-26T16:44:54.040

Link: CVE-2026-2697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses