Cyber Posture

CVE-2026-2697

Medium

Published: 23 February 2026

Published
23 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0015 34.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2697 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Tenable Security Center. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing authenticated low-privilege attackers from escalating privileges via manipulated 'owner' parameters in this IDOR vulnerability.

SI-10 Information Input Validation partial match
prevent

SI-10 requires validation of inputs like the 'owner' parameter against user context, blocking unauthorized object references that enable IDOR-based privilege escalation.

AC-6 Least Privilege partial match
prevent

AC-6 applies least privilege to limit the scope of escalation even if IDOR manipulation partially succeeds, reducing potential impacts to confidentiality, integrity, and availability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The IDOR vulnerability (CVE-2026-2697) allows an authenticated low-privilege attacker to escalate privileges by manipulating the 'owner' parameter, directly enabling T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.

Deeper analysisAI

CVE-2026-2697 is an Indirect Object Reference (IDOR) vulnerability, mapped to CWE-639, in Security Center. Published on 2026-02-23, it enables an authenticated remote attacker to escalate privileges by manipulating the 'owner' parameter. The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), reflecting medium severity with network accessibility, low attack complexity, and requirements for low-privilege authentication.

An attacker with existing low-privileged credentials can exploit this over the network without user interaction. By abusing the 'owner' parameter in IDOR fashion, they achieve privilege escalation, alongside low-level impacts to confidentiality, integrity, and availability within the affected Security Center instance.

The primary advisory from Tenable, available at https://www.tenable.com/security/tns-2026-07, provides further details on the vulnerability, including potential mitigation steps. Security practitioners should consult this reference for patch information and workarounds.

Details

CWE(s)
CWE-639

Affected Products

tenable
security center
≤ 6.8.0

CVEs Like This One

CVE-2026-5617Shared CWE-639
CVE-2026-29002Shared CWE-639
CVE-2025-13768Shared CWE-639
CVE-2026-41906Shared CWE-639
CVE-2026-0020Shared CWE-639
CVE-2026-34602Shared CWE-639
CVE-2026-25147Shared CWE-639
CVE-2025-7347Shared CWE-639
CVE-2026-25497Shared CWE-639
CVE-2026-42205Shared CWE-639

References