usd-2026-004 | Tenable Nessus Manager 10.11.1 - Missing Authorization (CWE-862)

Product: Tenable Nessus Manager
Affected Version: 10.11.1
Vulnerability Type: Missing Authorization (CWE-862)
Security Risk: High
Vendor: Tenable
Vendor URL: https://www.tenable.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2026-3493
CVE Link: https://www.cve.org/CVERecord?id=CVE-2026-3493
Advisory ID: usd-2026-004

Description

Tenable Nessus Manager is a vulnerability management platform designed to centrally coordinate vulnerability scanning. It provides a management layer for orchestrating scanners and administering Nessus Agents. Nessus Manager can remotely manage, update, and configure linked agents.
Once agents are linked, they receive scan instructions from the manager, perform assessments locally on the host system, and send results back to the manager.

Nessus Manager also provides functionality for retrieving logs from linked agents. Administrators can request agent logs, after which the agents push their log data back to the manager, where the collected logs can then be downloaded for analysis.

Insufficient access control mechanisms allow low-privileged user accounts to exploit the usd-2026-003 vulnerability as well.

Proof of Concept

Users with the standard role have no access to the sensors tab in the web frontend and thus cannot normally download log files.

However, due to missing authorization checks, these low-privileged users can still send POST requests to /agents/download-log to generate a one-time token. The required agent-id is simply a sequentially incrementing number that can be easily guessed. They can then exploit this token via a GET request to /tokens/download to retrieve arbitrary files, as detailed in finding usd-2026-003.

Fix

Implement comprehensive server-side authorization checks on all endpoints to enforce role-based access control.
Validate user privileges against the specific action and resource before processing requests. Deny access if the user's role lacks permission, regardless of frontend restrictions.

References

• https://owasp.org/www-community/attacks/Path_Traversal
• https://de.tenable.com/products/nessus
• https://www.tenable.com/security/tns-2026-08

Timeline

• 2026-02-24: First contact request via Hackerone
• 2026-02-25: Vulnerability confirmed as valid.
• 2026-03-03: Nessus Manager 10.10.3 and 10.11.3 released
• 2026-03-30: Advisory published

Credits

This security vulnerability was identified by Ole Wagner of usd AG.