Skip to main content

Tenable Identity Exposure EUVDEUVD-2026-38487

| CVE-2026-13007 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-23 tenable GHSA-rqcc-h287-275c
8.7
CVSS 4.0 · Vendor: tenable
Share

Severity by source

Vendor (tenable) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Network-reachable /w/api/* endpoints require no authentication or user interaction (AV:N/AC:L/PR:N/UI:N); impact is pure confidentiality disclosure of credentials and config (C:H, I:N, A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (tenable).

CVSS VectorVendor: tenable

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 23, 2026 - 18:35 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 18:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Patch available
Jun 23, 2026 - 18:17 EUVD
CVE Published
Jun 23, 2026 - 17:03 cve.org
HIGH 7.5
Analysis Generated
Jun 23, 2026 - 17:00 vuln.today

DescriptionCVE.org

Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/* that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration, user accounts, and directory settings to unauthenticated remote attackers. Affected responses are served with Cache-Control: public headers and without Vary: Cookie, allowing reverse proxies and CDNs to cache and serve sensitive data to unauthenticated users even after authentication is applied.

AnalysisAI

Unauthenticated information disclosure in Tenable Identity Exposure versions prior to 3.93.5 allows remote attackers to retrieve cleartext LDAP credentials, SAML configuration, user accounts, and directory settings via API endpoints under /w/api/*. The flaw is compounded by Cache-Control: public response headers that lack a Vary: Cookie directive, allowing reverse proxies and CDNs to cache and re-serve the sensitive data to other unauthenticated requesters. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Tenable Identity Exposure host
Delivery
Send unauthenticated GET to /w/api/*
Exploit
Receive LDAP credentials and SAML config
Execution
Bind to Active Directory as service account
Impact
Enumerate or modify directory objects

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated HTTP access to the /w/api/* endpoints of a Tenable Identity Exposure deployment prior to version 3.93.5 is sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H) is internally consistent with the description: the endpoints are network-reachable, require no authentication, no special attack requirements, and the impact is loss of high-value confidential data (cleartext LDAP credentials and SAML configuration), with limited subsequent-system impact (SC:L/SI:L) because exposed credentials can pivot into AD. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the network path to the Tenable Identity Exposure web interface sends a GET request to an endpoint under /w/api/* and receives a JSON document containing the cleartext LDAP bind credential used to query Active Directory, along with SAML configuration and user account metadata. The attacker reuses the LDAP credential to bind to the domain controller and enumerate or modify directory objects according to that account's rights, achieving Active Directory foothold without ever authenticating to the Tenable product.
Remediation Vendor-released patch: Tenable Identity Exposure 3.93.5 - upgrade to this release or later per the Tenable advisory at https://www.tenable.com/security/research/tns-2026-16. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of Tenable Identity Exposure and confirm which versions are deployed (check Settings > About). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy