CVE-2026-2698 - Vulnerability Details - OpenCVE

An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Tenable	Security Center

No data.

No data.

No data.

References

Link	Providers
https://https://docs.tenable.com/release-notes/Content/security-center/2026.htm
https://https://www.tenable.com/security/tns-2026-07

History

Mon, 23 Feb 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.
Title		Improper Access Control
First Time appeared		Tenable Tenable security Center
Weaknesses		CWE-639
CPEs		cpe:2.3:a:tenable:security_center::::::::
Vendors & Products		Tenable Tenable security Center
References		https://https://docs.tenable.com/release-notes/Content/security-center/2026.htm https://https://www.tenable.com/security/tns-2026-07
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` cvssV4_0 `{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

MITRE

Status: PUBLISHED

Assigner: tenable

Published: 2026-02-23T16:28:07.711Z

Updated: 2026-02-23T18:17:26.382Z

Reserved: 2026-02-18T15:44:14.404Z

Link: CVE-2026-2698

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-23T17:23:30.390

Modified: 2026-02-23T18:13:53.397

Link: CVE-2026-2698

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2698", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "state": "PUBLISHED", "assignerShortName": "tenable", "dateReserved": "2026-02-18T15:44:14.404Z", "datePublished": "2026-02-23T16:28:07.711Z", "dateUpdated": "2026-02-23T18:17:26.382Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Security Center", "vendor": "Tenable", "versions": [{"lessThan": "6.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tenable:security_center:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.8.0", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope."}], "value": "An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.7, "baseSeverity": "MEDIUM", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2026-02-23T16:28:07.711Z"}, "references": [{"url": "https://https://www.tenable.com/security/tns-2026-07"}, {"url": "https://https://docs.tenable.com/release-notes/Content/security-center/2026.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Tenable has released Security Center 6.8.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.tenable.com/downloads/security-center\">https://www.tenable.com/downloads/security-center</a></p><p><strong>Note: </strong>Patches that include fixes for <u>Apache, PHP and Libcurl</u> were recently released (<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.tenable.com/security/tns-2026-06)\">https://www.tenable.com/security/tns-2026-06)</a>. Tenable Security Center 6.8.0 includes all of these fixes. Please refer to the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.tenable.com/release-notes/Content/security-center/2026.htm\">Tenable SC Release Notes</a> for more information.</p>"}], "value": "Tenable has released Security Center 6.8.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: https://www.tenable.com/downloads/security-center \n\nNote: Patches that include fixes for Apache, PHP and Libcurl\u00a0were recently released ( https://www.tenable.com/security/tns-2026-06) . Tenable Security Center 6.8.0 includes all of these fixes. Please refer to the Tenable SC Release Notes https://docs.tenable.com/release-notes/Content/security-center/2026.htm \u00a0for more information."}], "source": {"advisory": "tns-2026-07", "discovery": "EXTERNAL"}, "title": "Improper Access Control", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T18:17:07.564162Z", "id": "CVE-2026-2698", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:17:26.382Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope."}], "id": "CVE-2026-2698", "lastModified": "2026-02-23T18:13:53.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "vulnreport@tenable.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vulnreport@tenable.com", "type": "Secondary"}]}, "published": "2026-02-23T17:23:30.390", "references": [{"source": "vulnreport@tenable.com", "url": "https://https://docs.tenable.com/release-notes/Content/security-center/2026.htm"}, {"source": "vulnreport@tenable.com", "url": "https://https://www.tenable.com/security/tns-2026-07"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "vulnreport@tenable.com", "type": "Secondary"}]}