CVE-2026-9207

Vulnerability

CVE-2026-9207 is an unauthorized code execution vulnerability in Tanium Connect. The flaw resides in the Connect service running on the Tanium Module Server, which is only exploitable on Windows-based deployments. An authenticated Tanium user with the Connect Write permission can trigger the vulnerability. Affected versions include Connect prior to Update 25 (v5.26.191) in the 2024H2 release, prior to Update 19 (v5.29.237) in the 2025H1 release, and prior to Update 9 (v5.37.140) in the 2025H2 release [1].

Exploitation

To exploit this vulnerability, an attacker must have a valid Tanium account with the Connect Write permission and network access to the Tanium Module Server. No user interaction is required beyond the attacker's own actions. The attacker can send specially crafted requests to the Connect service, leveraging their write permission to execute arbitrary code in the context of the Connect service [1].

Impact

Successful exploitation allows the attacker to execute unauthorized code with the privileges of the Connect service on the Tanium Module Server. This can lead to full compromise of confidentiality, integrity, and availability (CIA) of the affected system, as the attacker gains the ability to read, modify, or delete data and potentially pivot to other systems [1].

Mitigation

Tanium has released fixed versions: Connect Update 25 (v5.26.191) for 2024H2, Update 19 (v5.29.237) for 2025H1, Update 9 (v5.37.140) for 2025H2, and Update 0 (v5.47.95) for 2026H1. No workarounds are available; customers must upgrade to a patched version. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].