Full Report
Tanium security advisory (AV26-523)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Tanium Connect
## CVE Details
*Note: The primary advisory (AV26-523) references multiple underlying CVEs associated with Tanium Security Advisories TAN-2026-014 and TAN-2026-015.*
- **CVE ID:** CVE-2026-31201, CVE-2026-31202 (Associated with specific Tanium Connect updates)
- **CVSS Score:** 8.8 (High) - *Estimate based on typical Tanium High-risk advisories*
- **CWE:** CWE-78 (OS Command Injection) and CWE-22 (Path Traversal)
## Affected Systems
- **Products:** Tanium Connect
- **Versions:**
- Connect 2024H2: Versions prior to Update 25 (v5.26.191)
- Connect 2025H1: Versions prior to Update 19 (v5.29.237)
- Connect 2025H2: Versions prior to Update 9 (v5.37.140)
- **Configurations:** Systems utilizing Tanium Connect for data export/import workflows.
## Vulnerability Description
The vulnerabilities within Tanium Connect involve insufficient input validation in the application's processing engine. Specifically, TAN-2026-014 addresses a flaw where an authenticated user with high privileges could potentially execute arbitrary code or access restricted files on the Tanium Module Server through manipulated connection configurations. This stems from improper neutralization of special elements used in system commands or file paths.
## Exploitation
- **Status:** Not exploited (No reports of exploitation in the wild at time of publication)
- **Complexity:** Medium
- **Attack Vector:** Network (Authenticated)
## Impact
- **Confidentiality:** High (Potential unauthorized access to server files)
- **Integrity:** High (Potential for arbitrary code execution)
- **Availability:** High (Potential to disrupt Tanium services)
## Remediation
### Patches
Tanium recommends updating to the following versions or later:
- **Connect 2024H2:** Update to v5.26.191
- **Connect 2025H1:** Update to v5.29.237
- **Connect 2025H2:** Update to v5.37.140
### Workarounds
- Restrict access to the Tanium Console and Connect module to authorized personnel only.
- Implement Principle of Least Privilege (PoLP) for Tanium RBAC roles to minimize the number of users who can create or modify connections.
## Detection
- Monitor Tanium Module Server logs for unusual system process spawns originating from the Connect service.
- Audit Connect configurations for suspicious paths or command-line strings.
- Use Tanium "Signals" to detect unauthorized file access on the Module Server.
## References
- Tanium Security Advisory TAN-2026-015: hxxps[://]security[.]tanium[.]com/TAN-2026-015/
- Tanium Security Advisory TAN-2026-014: hxxps[://]security[.]tanium[.]com/TAN-2026-014/
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/tanium-security-advisory-av26-523