{"id":25093,"date":"2026-03-31T07:34:18","date_gmt":"2026-03-31T05:34:18","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2026-004\/"},"modified":"2026-04-08T13:37:26","modified_gmt":"2026-04-08T11:37:26","slug":"usd-2026-004","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2026-004\/","title":{"rendered":"usd-2026-004"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.6\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2026-004 | Tenable Nessus Manager 10.11.1 - Missing Authorization (CWE-862)<\/h1>\n

<\/h1>\n

Product<\/strong>: Tenable Nessus Manager
Affected Version<\/strong>: 10.11.1
Vulnerability Type<\/strong>: Missing Authorization (CWE-862)
Security Risk<\/strong>: High
Vendor<\/strong>: Tenable
Vendor URL<\/strong>: https:\/\/www.tenable.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2026-3493
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2026-3493<\/a>
Advisory ID<\/strong>: usd-2026-004<\/p>\n

Description<\/h3>\n

Tenable Nessus Manager is a vulnerability management platform designed to centrally coordinate vulnerability scanning. It provides a management layer for orchestrating scanners and administering Nessus Agents. Nessus Manager can remotely manage, update, and configure linked agents.
Once agents are linked, they receive scan instructions from the manager, perform assessments locally on the host system, and send results back to the manager.<\/p>\n

Nessus Manager also provides functionality for retrieving logs from linked agents. Administrators can request agent logs, after which the agents push their log data back to the manager, where the collected logs can then be downloaded for analysis.<\/p>\n

Insufficient access control mechanisms allow low-privileged user accounts to exploit the usd-2026-003<\/a>\u00a0vulnerability as well.<\/p>\n

Proof of Concept<\/h3>\n

Users with the standard<\/strong> role have no access to the sensors tab in the web frontend and thus cannot normally download log files.<\/p>\n

However, due to missing authorization checks, these low-privileged users can still send POST requests to \/agents\/download-log<\/strong> to generate a one-time token. The required agent-id is simply a sequentially incrementing number that can be easily guessed. They can then exploit this token via a GET request to \/tokens\/download<\/strong> to retrieve arbitrary files, as detailed in finding usd-2026-003<\/a>.<\/p>\n

Fix<\/h3>\n

Implement comprehensive server-side authorization checks on all endpoints to enforce role-based access control.
Validate user privileges against the specific action and resource before processing requests. Deny access if the user's role lacks permission, regardless of frontend restrictions.<\/p>\n

References<\/h3>\n