CVE-2026-9208

Vulnerability

CVE-2026-9208 is an unauthorized code execution vulnerability residing in the Tanium Connect component. An authenticated user who possesses the Connect Write permission can exploit the flaw to execute arbitrary code in the context of the Connect service running on the Tanium Module Server. The following versions are affected: Connect prior to v5.26.191 in the 2024H2 Release, prior to v5.29.237 in the 2025H1 Release, and prior to v5.37.140 in the 2025H2 Release [1].

Exploitation

An attacker must first be an authenticated Tanium user and must hold the Connect Write permission. With that level of access, the attacker can trigger the vulnerability to execute unauthorized code. No specific workaround or mitigation is described, and no user interaction beyond the attacker's own actions is required. The CVSS vector further indicates the attack vector is network-based with low complexity and requires only low privileges [1].

Impact

Successful exploitation leads to unauthorized code execution in the context of the Connect service on the Tanium Module Server. The impact is fully comprehensive on confidentiality, integrity, and availability — the attacker can read, modify, or destroy data, and can also disrupt service. The privilege level achieved is effectively the same as that of the Connect service itself [1].

Mitigation

Tanium has released fixed versions: Connect v5.26.191 (2024H2 Update 25), v5.29.237 (2025H1 Update 19), v5.37.140 (2025H2 Update 9), and v5.47.95 (2026H1 Update 0). No workaround or mitigation is available aside from applying the updates. Users must upgrade their Connect installation to one of the patched versions. The vendor has not listed this CVE on the CISA KEV as of the publication date [1].