Cyber Resilience

CVE-2026-2697

Medium

Published: 23 February 2026

Published
23 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 10.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2697 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Tenable Security Center. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2697 is an Indirect Object Reference (IDOR) vulnerability, mapped to CWE-639, in Security Center. Published on 2026-02-23, it enables an authenticated remote attacker to escalate privileges by manipulating the 'owner' parameter. The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), reflecting medium severity with network accessibility, low attack complexity, and requirements for low-privilege authentication.

An attacker with existing low-privileged credentials can exploit this over the network without user interaction. By abusing the 'owner' parameter in IDOR fashion, they achieve privilege escalation, alongside low-level impacts to confidentiality, integrity, and availability within the affected Security Center instance.

The primary advisory from Tenable, available at https://www.tenable.com/security/tns-2026-07, provides further details on the vulnerability, including potential mitigation steps. Security practitioners should consult this reference for patch information and workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The IDOR vulnerability (CVE-2026-2697) allows an authenticated low-privilege attacker to escalate privileges by manipulating the 'owner' parameter, directly enabling T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0020Shared CWE-639
CVE-2026-41906Shared CWE-639
CVE-2026-38807Shared CWE-639
CVE-2026-8629Shared CWE-639
CVE-2025-13768Shared CWE-639
CVE-2026-5617Shared CWE-639
CVE-2026-34602Shared CWE-639
CVE-2026-29002Shared CWE-639
CVE-2025-14996Shared CWE-639
CVE-2026-47356Same vendor: Tenable

Affected Assets

tenable
security center
≤ 6.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing authenticated low-privilege attackers from escalating privileges via manipulated 'owner' parameters in this IDOR vulnerability.

prevent

SI-10 requires validation of inputs like the 'owner' parameter against user context, blocking unauthorized object references that enable IDOR-based privilege escalation.

prevent

AC-6 applies least privilege to limit the scope of escalation even if IDOR manipulation partially succeeds, reducing potential impacts to confidentiality, integrity, and availability.

References