CVE-2026-13007
Insecure Public Caching on REST API Endpoints in Tenable Identity Exposure
Description
Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/* that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration, user accounts, and directory settings to unauthenticated remote attackers. Affected responses are served with Cache-Control: public headers and without Vary: Cookie, allowing reverse proxies and CDNs to cache and serve sensitive data to unauthenticated users even after authentication is applied.
INFO
Published Date :
June 23, 2026, 3:59 p.m.
Last Modified :
June 23, 2026, 3:59 p.m.
Remotely Exploit :
No
Source :
tenable
Solution
- Restrict access to sensitive API endpoints.
- Disable or configure caching for API responses.
- Review and harden application configuration.
- Apply vendor patches or updates.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-13007 vulnerability anywhere in the article.