[R1] Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities

Critical

Synopsis

Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components (.NET Windows Server Hosting, NodeJS, Erlang OTP, SQL Server, OpenSSL, Curl) were found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Tenable Identity Exposure version 3.93.5 updates .NET Windows Server Hosting to version 8.0.28.26269, NodeJS to version 20.20.2.0, Erlang OTP to version 26.2.5.21, SQL Server to version 15.0.4470.1, OpenSSL to version 4.0.1, and Curl to version 8.19.0 to address the identified vulnerabilities.

Tenable Identity Exposure version v3.93.5 also resolves a vulnerability related to API endpoints returning information to unauthenticated GET requests (CVE-2026-13007).

 

CVE IDBase ScoreTemporal ScoreCVSSv3 VectorCVSSv4 Base ScoreCVSSv4 VectorCWE
MEDIUMCVE-2025-111876.15.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:CCWE-121: Stack-based Buffer Overflow
MEDIUMCVE-2025-130345.95.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:CCWE-345: Insufficient Verification of Data Authenticity
MEDIUMCVE-2025-140176.35.5CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:CCWE-416: Use After Free
MEDIUMCVE-2025-145245.34.6CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2025-148195.34.6CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2025-150795.34.6CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
LOWCVE-2025-152243.12.7CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:CCWE-284: Improper Access Control
HIGHCVE-2025-154678.87.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-416: Use After Free
MEDIUMCVE-2025-154685.95.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2025-154695.54.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:CCWE-284: Improper Access Control
CRITICALCVE-2025-551309.17.9CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:CCWE-287: Improper Authentication
HIGHCVE-2025-551317.16.2CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:CCWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
MEDIUMCVE-2025-551325.34.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HIGHCVE-2025-552477.36.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-269: Improper Privilege Management
MEDIUMCVE-2025-552485.75CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CRITICALCVE-2025-553159.98.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:CCWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
HIGHCVE-2025-594657.56.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2025-594667.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2025-661995.95.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2025-681604.74.1CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2025-6941843.5CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HIGHCVE-2025-694197.46.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:CCWE-295: Improper Certificate Validation
HIGHCVE-2025-694207.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2025-694217.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-19656.55.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:CCWE-284: Improper Access Control
MEDIUMCVE-2026-26736.55.7CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:CCWE-284: Improper Access Control
MEDIUMCVE-2026-37835.34.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-37846.55.7CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HIGHCVE-2026-38057.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-48735.95.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-55456.55.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:CCWE-284: Improper Access Control
HIGHCVE-2026-57737.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-62535.95.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-62767.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-64295.34.6CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-70095.34.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-71685.34.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HIGHCVE-2026-73838.17CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-295: Improper Certificate Validation
HIGHCVE-2026-90767.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-130077.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:NCWE-306: Missing Authentication for Critical Function; CWE-524: Use of Cache Containing Sensitive Information
HIGHCVE-2026-212187.56.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NCWE-284: Improper Access Control
HIGHCVE-2026-212628.87.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-284: Improper Access Control
HIGHCVE-2026-216377.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-217107.56.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-217135.95.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-217145.34.6CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
LOWCVE-2026-217153.32.9CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
LOWCVE-2026-217163.32.9CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:CCWE-284: Improper Access Control
MEDIUMCVE-2026-217175.95.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-227955.54.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-227965.34.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-261307.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-261717.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-283867.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-125: Out-of-bounds Read
HIGHCVE-2026-283878.17CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-295: Improper Certificate Validation
HIGHCVE-2026-283887.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-283897.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-283907.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
CRITICALCVE-2026-317899.88.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
HIGHCVE-2026-317907.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HIGHCVE-2026-321677.86.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
MEDIUMCVE-2026-321754.33.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:CCWE-284: Improper Access Control
HIGHCVE-2026-321767.86.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
HIGHCVE-2026-321777.36.3CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:CCWE-269: Improper Privilege Management
HIGHCVE-2026-321787.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HIGHCVE-2026-322037.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-331167.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-331208.87.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-822: Untrusted Pointer Dereference
HIGHCVE-2026-341807.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-341817.46.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:CCWE-295: Improper Certificate Validation
CRITICALCVE-2026-341829.17.9CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:CCWE-287: Improper Authentication
HIGHCVE-2026-341837.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-3518854.4CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HIGHCVE-2026-354337.36.3CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:CCWE-269: Improper Privilege Management
HIGHCVE-2026-403708.87.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-73: External Control of File Name or Path
HIGHCVE-2026-427647.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-427657.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-427665.95.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-427675.95.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
LOWCVE-2026-427683.73.2CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-427695.34.6CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
LOWCVE-2026-427703.73.2CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-427716.25.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
MEDIUMCVE-2026-427894.84.2CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C7CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:NCWE-295: Improper Certificate Validation
HIGHCVE-2026-427908.17CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C7.6CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NCWE-295: Improper Certificate Validation
HIGHCVE-2026-428997.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption
HIGHCVE-2026-454457.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:CCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
MEDIUMCVE-2026-454464.84.2CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:CCWE-295: Improper Certificate Validation
HIGHCVE-2026-454478.87.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-287: Improper Authentication
HIGHCVE-2026-454907.86.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CCWE-269: Improper Privilege Management
MEDIUMCVE-2026-454915.54.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:CCWE-284: Improper Access Control
HIGHCVE-2026-455917.56.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:CCWE-400: Uncontrolled Resource Consumption

Solution

Tenable has released Tenable Identity Exposure version 3.93.5 to address these issues. The installation files can be obtained from the Tenable Downloads Portal: https://www.tenable.com/downloads/identity-exposure

Additional References

https://docs.tenable.com/release-notes/Content/identity-exposure/onprem/2026.htm#Tenable-Identity-Exposure-3.93.5-(2026-06-23)-

This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

>