CVE-2026-2435
SQL Injection Vulnerability in Tanium Asset Component
Publication date: 2026-02-20
Last updated on: 2026-02-27
Assigner: Tanium
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tanium | asset | From 1.32 (inc) to 1.32.179 (exc) |
| tanium | asset | From 1.33 (inc) to 1.33.269 (exc) |
| tanium | asset | From 1.36 (inc) to 1.36.108 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2435 is a medium-severity SQL injection vulnerability found in Tanium Asset. It affects authenticated users who have the Asset Report Write permission. This vulnerability potentially allows these users to read, create, or modify objects in the Asset database beyond what they are authorized to access.
The vulnerability has a CVSS 3.1 base score of 6.3, indicating it can be exploited over the network with low attack complexity and requires low privileges. No user interaction is needed, and the scope remains unchanged. The impact on confidentiality, integrity, and availability is considered low.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user with Asset Report Write permission to access or alter data in the Asset database beyond their authorized level. This could lead to unauthorized reading, creation, or modification of database objects, potentially compromising the integrity and confidentiality of asset data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
There are no workarounds or mitigations available for this vulnerability.
The recommended immediate step is to update Tanium Asset to a fixed version. Fixed versions include Update 21 (v1.32.179) and later for 2024H2, Update 14 (v1.33.269) and later for 2025H1, and Update 5 (v1.36.108) and later for 2025H2.