CVE-2026-2435
Published: 20 February 2026
Summary
CVE-2026-2435 is a medium-severity SQL Injection (CWE-89) vulnerability in Tanium Asset. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible Asset component directly enables remote exploitation of a public-facing application (T1190).
NVD Description
Tanium addressed a SQL injection vulnerability in Asset.
Deeper analysisAI
CVE-2026-2435 is a SQL injection vulnerability (CWE-89) affecting the Asset component in Tanium software. Published on 2026-02-20, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges but no user interaction.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network. Exploitation enables limited impacts on confidentiality, integrity, and availability, allowing potential unauthorized access, modification, or disruption of data through SQL injection techniques.
Tanium has addressed the vulnerability, as detailed in advisory TAN-2026-004 available at https://security.tanium.com/TAN-2026-004, which provides information on patches and mitigation.
Details
- CWE(s)