Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable /w/api/* endpoints require no authentication or user interaction (AV:N/AC:L/PR:N/UI:N); impact is pure confidentiality disclosure of credentials and config (C:H, I:N, A:N).
Primary rating from Vendor (tenable).
CVSS VectorVendor: tenable
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/* that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration, user accounts, and directory settings to unauthenticated remote attackers. Affected responses are served with Cache-Control: public headers and without Vary: Cookie, allowing reverse proxies and CDNs to cache and serve sensitive data to unauthenticated users even after authentication is applied.
AnalysisAI
Unauthenticated information disclosure in Tenable Identity Exposure versions prior to 3.93.5 allows remote attackers to retrieve cleartext LDAP credentials, SAML configuration, user accounts, and directory settings via API endpoints under /w/api/*. The flaw is compounded by Cache-Control: public response headers that lack a Vary: Cookie directive, allowing reverse proxies and CDNs to cache and re-serve the sensitive data to other unauthenticated requesters. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated HTTP access to the /w/api/* endpoints of a Tenable Identity Exposure deployment prior to version 3.93.5 is sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H) is internally consistent with the description: the endpoints are network-reachable, require no authentication, no special attack requirements, and the impact is loss of high-value confidential data (cleartext LDAP credentials and SAML configuration), with limited subsequent-system impact (SC:L/SI:L) because exposed credentials can pivot into AD. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the network path to the Tenable Identity Exposure web interface sends a GET request to an endpoint under /w/api/* and receives a JSON document containing the cleartext LDAP bind credential used to query Active Directory, along with SAML configuration and user account metadata. The attacker reuses the LDAP credential to bind to the domain controller and enumerate or modify directory objects according to that account's rights, achieving Active Directory foothold without ever authenticating to the Tenable product. |
| Remediation | Vendor-released patch: Tenable Identity Exposure 3.93.5 - upgrade to this release or later per the Tenable advisory at https://www.tenable.com/security/research/tns-2026-16. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all instances of Tenable Identity Exposure and confirm which versions are deployed (check Settings > About). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38487
GHSA-rqcc-h287-275c