Description
An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.
Published: 2026-02-23
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

An improper access control flaw allows an authenticated user to reach areas of Tenable Security Center that fall outside their designated authorization scope. This creates a risk of exposing sensitive data or performing unauthorized configuration changes, potentially leading to data compromise or service disruption. The weakness maps to CWE-639, where user‑controlled keys enable bypass of intended access restrictions.

Affected Systems

The vulnerability affects Tenable Security Center deployments that are not running the latest 6.8.0 release, as older versions lack the necessary controls. It applies to instances where users authenticate and can potentially access areas beyond their authorized scope. The description does not specify the default access model or require a particular role; therefore any authenticated role may be affected.

Risk and Exploitability

With a CVSS score of 5.7 the issue is considered moderate, while an EPSS score of less than 1% indicates a very low likelihood of widespread exploitation. The vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog. The attack vector requires a legitimate user login with any valid role; from there the attacker can traverse beyond permitted boundaries. Due to the control requirement the risk is limited to compromised accounts but remains significant enough to warrant prompt mitigation.

Generated by OpenCVE AI on April 18, 2026 at 11:03 UTC.

Remediation

Vendor Solution

Tenable has released Security Center 6.8.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: https://www.tenable.com/downloads/security-center Note: Patches that include fixes for Apache, PHP and Libcurl were recently released ( https://www.tenable.com/security/tns-2026-06) . Tenable Security Center 6.8.0 includes all of these fixes. Please refer to the Tenable SC Release Notes https://docs.tenable.com/release-notes/Content/security-center/2026.htm  for more information.

OpenCVE Recommended Actions

  • Upgrade to Tenable Security Center 6.8.0, which incorporates all pertinent fixes
  • Apply the latest patches for the underlying Apache, PHP and libcurl components as released by Tenable
  • Verify that role‑based access controls are correctly configured and enforce the intended scope limits

Generated by OpenCVE AI on April 18, 2026 at 11:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.
Title Improper Access Control
First Time appeared Tenable
Tenable security Center
Weaknesses CWE-639
CPEs cpe:2.3:a:tenable:security_center:*:*:*:*:*:*:*:*
Vendors & Products Tenable
Tenable security Center
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenable Security Center
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-02-23T18:17:26.382Z

Reserved: 2026-02-18T15:44:14.404Z

Link: CVE-2026-2698

cve-icon Vulnrichment

Updated: 2026-02-23T18:17:17.736Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T17:23:30.390

Modified: 2026-02-26T16:39:12.610

Link: CVE-2026-2698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses