CVE-2026-2697
Received Received - Intake
IDOR Vulnerability in Security Center Enables Privilege Escalation

Publication date: 2026-02-23

Last updated on: 2026-04-29

Assigner: Tenable Network Security, Inc.

Description
An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2697
EUVD
EUVD-2026-7387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenable security_center to 6.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2697 is an Indirect Object Reference (IDOR) vulnerability found in Tenable Security Center versions 6.7.2 and earlier.'}, {'type': 'paragraph', 'content': "This vulnerability allows an authenticated remote attacker to escalate privileges by manipulating the 'owner' parameter."}, {'type': 'paragraph', 'content': 'It is classified under CWE-266: Incorrect Privilege Assignment.'}] [1]

Impact Analysis

This vulnerability can allow an authenticated remote attacker to escalate their privileges within the Tenable Security Center.

Privilege escalation can lead to unauthorized access to sensitive information, modification of data, or disruption of availability.

The CVSSv3 score of 6.3 indicates a medium severity impact affecting confidentiality, integrity, and availability.

Tenable addressed this issue in version 6.8.0, and applying the patch is strongly recommended to mitigate these risks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "CVE-2026-2697 is an Indirect Object Reference (IDOR) vulnerability that involves manipulation of the 'owner' parameter by an authenticated remote attacker to escalate privileges."}, {'type': 'paragraph', 'content': "Detection would involve monitoring or testing for unauthorized privilege escalation attempts via the 'owner' parameter in Tenable Security Center versions 6.7.2 and earlier."}, {'type': 'paragraph', 'content': 'No specific detection commands or network scanning commands are provided in the available resources.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Tenable Security Center to version 6.8.0 or later.

This update includes fixes for CVE-2026-2697 by addressing the IDOR vulnerability and upgrading third-party components such as libssh to version 1.11.1 and postgresql to version 16.11.

Applying this patch also resolves other related vulnerabilities and is strongly recommended to prevent privilege escalation risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart