CVE-2026-2697

Medium

Published: 23 February 2026

Published

23 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0015 34.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing authenticated low-privilege attackers from escalating privileges via manipulated 'owner' parameters in this IDOR vulnerability.

SI-10 Information Input Validation partial match

prevent

SI-10 requires validation of inputs like the 'owner' parameter against user context, blocking unauthorized object references that enable IDOR-based privilege escalation.

AC-6 Least Privilege partial match

prevent

AC-6 applies least privilege to limit the scope of escalation even if IDOR manipulation partially succeeds, reducing potential impacts to confidentiality, integrity, and availability.

Security SummaryAI

CVE-2026-2697 is an Indirect Object Reference (IDOR) vulnerability, mapped to CWE-639, in Security Center. Published on 2026-02-23, it enables an authenticated remote attacker to escalate privileges by manipulating the 'owner' parameter. The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), reflecting medium severity with network accessibility, low attack complexity, and requirements for low-privilege authentication.

An attacker with existing low-privileged credentials can exploit this over the network without user interaction. By abusing the 'owner' parameter in IDOR fashion, they achieve privilege escalation, alongside low-level impacts to confidentiality, integrity, and availability within the affected Security Center instance.

The primary advisory from Tenable, available at https://www.tenable.com/security/tns-2026-07, provides further details on the vulnerability, including potential mitigation steps. Security practitioners should consult this reference for patch information and workarounds.

Details

CWE(s): CWE-639

Affected Products

tenable

security center

≤ 6.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The IDOR vulnerability (CVE-2026-2697) allows an authenticated low-privilege attacker to escalate privileges by manipulating the 'owner' parameter, directly enabling T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.tenable.com/security/tns-2026-07
Vendor Advisory · vulnreport@tenable.com