Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN197
_____________________________________________________________________

DATE                : 19/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Tenable Security Center versions
                                       prior to 6.8.0.

=====================================================================
https://www.tenable.com/security/tns-2026-07
_____________________________________________________________________


[R1] Security Center Version 6.8.0 Fixes Multiple Vulnerabilities

Critical


Synopsis

Security Center leverages third-party software to help provide
underlying functionality. Several of the third-party components
(php jwt, libssh, postgresql) were found to contain vulnerabilities,
and updated versions have been made available by the providers.

Out of caution and in line with best practice, Tenable has opted to
upgrade these components to address the potential impact of the
issues. Security Center 6.8.0 updates php jwt to version
7.0.2,  libssh to version 1.11.1 and postgresql to version 16.11
to address the identified vulnerabilities.

Additionally, several externally reported vulnerabilities were fixed:

    An Indirect Object Reference (IDOR) in Security Center allows an
authenticated remote attacker to escalate privileges via the 'owner'
parameter. (CVE-2026-2697)

    An improper access control vulnerability exists where an
authenticated user could access areas outside of their authorized
scope. (CVE-2026-2698)


Solution

Tenable has released Security Center 6.8.0 to address these issues.
The installation files can be obtained from the Tenable Downloads
Portal: https://www.tenable.com/downloads/security-center

Note: Patches that include fixes for Apache, PHP and Libcurl were
recently released (https://www.tenable.com/security/tns-2026-06).
Tenable Security Center 6.8.0 includes all of these fixes. Please
refer to the Tenable SC Release Notes for more information.


Additional References
https://docs.tenable.com/release-notes/Content/security-center/2026.htm

This page contains information regarding security vulnerabilities
that may impact Tenable's products. This may include issues specific
to our software, or due to the use of third-party libraries within
our software. Tenable strongly encourages users to ensure that they
upgrade or apply relevant patches in a timely manner.

Tenable takes product security very seriously. If you believe you
have found a vulnerability in one of our products, we ask that you
please work with us to quickly resolve it in order to protect
customers. Tenable believes in responding quickly to such reports,
maintaining communication with researchers, and providing a
solution in short order.

For more details on submitting vulnerability information, please
see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please
email [email protected]


Risk Information
CVE ID: CVE-2021-46743
CVE-2023-6918
CVE-2025-12818
CVE-2026-2697
CVE-2026-2698

Tenable Advisory ID: TNS-2026-07
Risk Factor: Critical

CVSSv3 Base / Temporal Score:
9.1 / 8.2 (CVE-2021-46743)
5.3 / 4.6 (CVE-2023-6918)
5.9 / 5.2 (CVE-2025-12818)
6.3 / 5.7 (CVE-2026-2697)
6.5 / 5.9 (CVE-2026-2698)

CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C (CVE-2021-46743)
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C (CVE-2023-6918)
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C (CVE-2025-12818)
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R (CVE-2026-2697)
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C (CVE-2026-2698)
CVSSv4 Base Score:
2.1 (CVE-2026-2697)
5.7 (CVE-2026-2698)

CVSSv4 Vector:
AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P (CVE-2026-2697)
AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P (CVE-2026-2698)

CWE:
CWE-266: Incorrect Privilege Assignment (CVE-2026-2697)
CWE-639: Authorization Bypass Through User-Controlled Key (CVE-2026-2698)

Affected Products
Security Center 6.7.2 w/ Patch SC-202602.1 and Patch SC-202602.2 and earlier

Disclosure Timeline
2025-11-19 - Reports received by Tenable
2025-11-22 - Report confirmed as valid
2026-02-18 - CVE ID requested / CVSS v3/v4 scoring calculated
2026-02-18 - Tenable Security Center 6.8.0 released

Advisory Timeline
2026-02-18 - [R1] Initial Release



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================