Executive Summary

CVE-2026-9207 is an unauthorized code execution vulnerability in Tanium Connect. It allows an authenticated Tanium user who has the Connect Write permission to execute unauthorized code within the context of the Connect service running on the Tanium Module Server. This vulnerability specifically affects customers running the Tanium Module Server on Windows.

The affected versions include the 2024H2 Release (Connect prior to Update 25 v5.26.191), the 2025H1 Release (Connect prior to Update 19 v5.29.237), and the 2025H2 Release (Connect prior to Update 9 v5.37.140).

Tanium has released updates to address this vulnerability, but no workarounds or mitigations are provided.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact as it allows an authenticated user with certain permissions to execute unauthorized code on the Tanium Module Server. This could lead to full compromise of the Connect service, potentially affecting confidentiality, integrity, and availability of the system.

• Confidentiality impact: High
• Integrity impact: High
• Availability impact: High

Because the vulnerability requires authentication with specific permissions, the risk is limited to users who already have Connect Write permission, but the severity remains high due to the level of control gained.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update your Tanium Connect product to a fixed version. The affected versions are prior to Update 25 (v5.26.191) for the 2024H2 Release, prior to Update 19 (v5.29.237) for the 2025H1 Release, and prior to Update 9 (v5.37.140) for the 2025H2 Release. Additionally, for the 2026H1 Release, update to Update 0 (v5.47.95) or later.

No workarounds or other mitigations are provided.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the unauthorized code execution vulnerability in Tanium Connect (CVE-2026-9207) affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects Tanium Connect running on the Tanium Module Server on Windows systems, specifically versions prior to certain updates.

To detect if your system is vulnerable, you should check the version of Tanium Connect installed on your Tanium Module Server.

• Identify the Tanium Connect version installed on your server.
• Compare the installed version against the fixed versions: Update 25 (v5.26.191) or later for 2024H2, Update 19 (v5.29.237) or later for 2025H1, Update 9 (v5.37.140) or later for 2025H2, and Update 0 (v5.47.95) or later for 2026H1.

Since no specific detection commands or network indicators are provided, a practical approach is to run commands on the Windows Tanium Module Server to query the installed Connect version.

• Use PowerShell to check the installed Tanium Connect version, for example: Get-ItemProperty -Path 'HKLM:\Software\Tanium\Connect' | Select-Object Version
• Alternatively, check the version via the Tanium Module Server interface or installed program details.

If the version is older than the fixed updates, the system is vulnerable and should be updated.

Useful 0 Not Useful 0