CVE-2026-2435

Received Received - Intake

SQL Injection Vulnerability in Tanium Asset Component

Publication date: 2026-02-20

Last updated on: 2026-02-27

Assigner: Tanium

Description

Tanium addressed a SQL injection vulnerability in Asset.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-20

Last Modified

2026-02-27

Generated

2026-06-16

AI Q&A

2026-02-20

EPSS Evaluated

2026-06-14

NVD

CVE-2026-2435

EUVD

EUVD-2026-8007

Affected Vendors & Products

Vendor	Product	Version / Range
tanium	asset	From 1.32 (inc) to 1.32.179 (exc)
tanium	asset	From 1.33 (inc) to 1.33.269 (exc)
tanium	asset	From 1.36 (inc) to 1.36.108 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-2435 is a medium-severity SQL injection vulnerability found in Tanium Asset. It affects authenticated users who have the Asset Report Write permission. This vulnerability potentially allows these users to read, create, or modify objects in the Asset database beyond what they are authorized to access.

The vulnerability has a CVSS 3.1 base score of 6.3, indicating it can be exploited over the network with low attack complexity and requires low privileges. No user interaction is needed, and the scope remains unchanged. The impact on confidentiality, integrity, and availability is considered low.

Impact Analysis

This vulnerability can allow an authenticated user with Asset Report Write permission to access or alter data in the Asset database beyond their authorized level. This could lead to unauthorized reading, creation, or modification of database objects, potentially compromising the integrity and confidentiality of asset data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

There are no workarounds or mitigations available for this vulnerability.

The recommended immediate step is to update Tanium Asset to a fixed version. Fixed versions include Update 21 (v1.32.179) and later for 2024H2, Update 14 (v1.33.269) and later for 2025H1, and Update 5 (v1.36.108) and later for 2025H2.

Hi! I’m here to help you understand CVE-2026-2435. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-2435

SQL Injection Vulnerability in Tanium Asset Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart