CVE-2026-2435
Published: 20 February 2026
Summary
CVE-2026-2435 is a medium-severity SQL Injection (CWE-89) vulnerability in Tanium Asset. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2435 is a SQL injection vulnerability (CWE-89) affecting the Asset component in Tanium software. Published on 2026-02-20, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges but no user interaction.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network. Exploitation enables limited impacts on confidentiality, integrity, and availability, allowing potential unauthorized access, modification, or disruption of data through SQL injection techniques.
Tanium has addressed the vulnerability, as detailed in advisory TAN-2026-004 available at https://security.tanium.com/TAN-2026-004, which provides information on patches and mitigation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8007
Vulnerability details
Tanium addressed a SQL injection vulnerability in Asset.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible Asset component directly enables remote exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the Asset component, blocking the unsanitized SQL statements that enable CVE-2026-2435.
Mandates prompt application of the vendor patch in TAN-2026-004 that eliminates the SQL injection flaw in Tanium Asset.
Restricts the low-privilege accounts that the advisory states are sufficient to reach the vulnerable Asset SQL interface, limiting exploit scope.