Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Tanium addressed an unauthorized code execution vulnerability in Connect.
AnalysisAI
OS command injection in Tanium Connect lets an authenticated, low-privileged user execute arbitrary commands on the underlying host, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). The flaw affects Connect branches 5.26, 5.29, and 5.37 below their respective fixed builds and is tagged as RCE/Command Injection. There is no public exploit identified at time of analysis, and EPSS estimates exploitation probability at a low 0.07% (22nd percentile).
Technical ContextAI
Tanium Connect is the data-export/integration module of the Tanium endpoint-management platform, used to route endpoint and inventory data to external destinations (SIEMs, databases, files, HTTP endpoints, etc.). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning attacker-influenced input reaches a shell or process-execution call without adequate sanitization, allowing operating-system commands to be injected and run in the context of the Connect/Tanium service. Because Connect typically runs server-side with significant privileges on the Tanium platform host, command injection here translates into code execution on management infrastructure rather than on a single endpoint. No CPE strings were provided; affected components are identified by vendor version branches (5.26.x, 5.29.x, 5.37.x).
RemediationAI
Upgrade Tanium Connect to a fixed build for your branch: 5.26.191 or later for the 5.26 line, 5.29.237 or later for the 5.29 line, and 5.37.140 or later for the 5.37 line (Vendor-released patch per advisory TAN-2026-014, https://security.tanium.com/TAN-2026-014; fixed versions inferred from the EUVD 'affected versions' upper bounds). If immediate patching is not possible, reduce exposure by tightening who holds Connect/Tanium accounts and roles capable of creating or editing Connect connections/destinations, since PR:L means a valid low-privileged account is the precondition - revoke or restrict non-essential Connect operators and audit recent connection configurations for tampering. Additionally, restrict network access to the Tanium Server/Connect management interface to trusted administrative networks to limit who can reach the authenticated attack surface; the trade-off is reduced convenience for distributed administrators. Review the vendor advisory for any official interim workaround before relying solely on access controls.
The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF)
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect th
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10,
Adobe Connect version 9.5.6 and earlier does not adequately validate input in the events registration module. Rated medi
An issue was discovered in Adobe Connect 9.6.2 and earlier versions. Rated critical severity (CVSS 10.0), this vulnerabi
Adobe Connect before 9.5.2 allows remote attackers to have an unspecified impact via a crafted parameter in a URL. Rated
RStudio Connect prior to 2023.01.0 is affected by an Open Redirect issue. Rated medium severity (CVSS 6.1), this vulnera
The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being inclu
Execution with Unnecessary Privileges vulnerability in Saphira Saphira Connect allows Remote Code Inclusion. Rated criti
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saphira Saphira Co
Adobe Connect version 11.2.3 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve a
IBM Connect:Direct for UNIX 6.1.0, 6.0.0, 4.3.0, and 4.2.0 can allow a local or remote user to obtain an authenticated C
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32035
GHSA-4p47-gj2p-5wr9