How is CVE-2026-9208 exploited?

Network reachability (required): The attacker must be able to reach the Tanium Connect service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required. Authentication (required): The attacker must hold a valid low-privilege account on the Tanium platform; any ordinary user credential is sufficient, per the PR:L token. Victim interaction (not-required): No user action, click, or social-engineering step is needed; the exploit is fully attacker-driven, per the UI:N token. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-9208?

A successful attacker executes arbitrary code in the context of the Tanium Connect service process. All data accessible to that process, including stored connection configurations and credentials, becomes readable. The attacker can write or modify integration data and persisted configuration, tampering with downstream data flows. The attacker can crash or disrupt the Connect service, blocking endpoint data collection and integration pipelines that depend on it.

Back to search

HIGHCVE-2026-9208Published 2026-05-27Modified 2026-05-28CNA Tanium

CVE-2026-9208: Tanium addressed an unauthorized code execution vulnerability in Connect.

Tanium addressed an unauthorized code execution vulnerability in Connect.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unauthorized code execution vulnerability affects Tanium Connect, a data integration component of the Tanium endpoint management platform. The flaw is reachable over the network and requires only a low-privilege authenticated account, with no victim interaction needed. Successful exploitation gives an attacker full read, write, and availability impact on the affected service, effectively enabling remote code execution. Patched-image rebuilds at versions 5.26.191, 5.29.237, and 5.37.140 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Tanium Connect. Any image running a Connect version below the fixed releases in the 5.26, 5.29, or 5.37 branches is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using its CVSS v3.1 vector and weights the finding against each environment's compliance policy to set priority. Triage alerts are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at versions 5.26.191, 5.29.237, or 5.37.140 (matching the branch in use) becomes available in HarborGuard the moment the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against the affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Tanium Connect service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
AuthenticationRequired
The attacker must hold a valid low-privilege account on the Tanium platform; any ordinary user credential is sufficient, per the PR:L token.
Victim interactionNot required
No user action, click, or social-engineering step is needed; the exploit is fully attacker-driven, per the UI:N token.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

A successful attacker executes arbitrary code in the context of the Tanium Connect service process.
All data accessible to that process, including stored connection configurations and credentials, becomes readable.
The attacker can write or modify integration data and persisted configuration, tampering with downstream data flows.
The attacker can crash or disrupt the Connect service, blocking endpoint data collection and integration pipelines that depend on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9208 is active across all scanning environments, covering images in customer registries and CI/CD pipelines. For environments running a Connect version in the affected 5.26, 5.29, or 5.37 branches, a rebuilt image pinned to the corresponding fixed version (5.26.191, 5.29.237, or 5.37.140) is available. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding appears in the HarborGuard dashboard with fix-version guidance so teams can act manually.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 5.26.191
Affected Products: 1

Fix available

5.26.1915.29.2375.37.140

Affected packages

Tanium / Connect
< 5.26.191 (from 5.26) · < 5.29.237 (from 5.29) · < 5.37.140 (from 5.37)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

TAN-2026-015

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available