Sensitive Data Exposure in Tenable Identity Exposure Application
CVE-2026-13007

8.5HIGH

Key Information:

Vendor: Tenable
Status: Tenable Identity Exposure
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-13007?

Tenable Identity Exposure contains several unauthenticated API endpoints located at /w/api/* that reveal sensitive application configuration information. This exposure includes cleartext LDAP credentials, SAML configurations, user account details, and directory settings. Due to cache-control settings serving responses as public, unauthenticated remote attackers can access this sensitive information through reverse proxies and CDNs, which may cache and serve this data even after user authentication is intended. Proper measures should be implemented to secure these endpoints and prevent the exposure of critical application data.

Affected Version(s)

Tenable Identity Exposure 0 < 3.93.5

References

https://www.tenable.com/security/research/tns-2026-16

vendor-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 23, 2026

Credit

Cobalt (Tenable-commissioned penetration test)

CVE-2026-13007 Data

JSON