CVE-2026-1344 is an insecure file permissions vulnerability identified in Tanium's Enforce Recovery Key Portal version 1.0.0. The vulnerability arises from incorrect permission assignments on critical resources, specifically files that store or manage recovery keys. These keys are essential for decrypting protected endpoints, making their confidentiality paramount. The vulnerability allows an attacker with low privileges and local access to read these sensitive files, thereby compromising confidentiality without affecting integrity or availability. The CVSS v3.1 score is 6.5 (medium), reflecting that exploitation requires local access and low privileges but no user interaction, and the impact is limited to confidentiality. The vulnerability has a scope change (S:C), indicating that the impact crosses security boundaries, potentially exposing sensitive data beyond the immediate user context. No known exploits have been reported in the wild, and no patches are currently linked, suggesting that organizations should monitor vendor updates closely. Tanium Enforce Recovery Key Portal is used to manage recovery keys for encrypted endpoints, which are critical in enterprise security postures. Improper permission settings on these files could lead to unauthorized disclosure of recovery keys, enabling attackers to decrypt endpoint data or bypass encryption protections.

For European organizations, the exposure of recovery keys due to this vulnerability could lead to significant data confidentiality breaches, especially in sectors handling sensitive or regulated data such as finance, healthcare, and government. Attackers gaining access to recovery keys could decrypt encrypted endpoints, bypassing data protection mechanisms and potentially exfiltrating sensitive information. This could result in regulatory non-compliance with GDPR and other data protection laws, leading to legal and financial penalties. The requirement for local access and low privileges limits remote exploitation but increases risk from insider threats or attackers who have already gained limited footholds within networks. Organizations relying on Tanium for endpoint encryption key management are particularly vulnerable, and the compromise of recovery keys could undermine overall endpoint security strategies. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details are public.

1. Apply patches or updates from Tanium as soon as they become available to correct file permission settings. 2. Conduct a thorough audit of file and directory permissions related to the Enforce Recovery Key Portal to ensure that only authorized users have access. 3. Restrict local access to systems running the Enforce Recovery Key Portal to trusted administrators and users with a legitimate need. 4. Implement strict access controls and monitoring on endpoints and servers hosting the portal to detect unauthorized access attempts. 5. Use endpoint detection and response (EDR) tools to monitor for suspicious local privilege escalations or file access patterns. 6. Educate internal teams about the risks of insider threats and enforce least privilege principles. 7. Regularly review and update security policies related to key management and endpoint encryption. 8. Consider network segmentation to isolate critical systems running the portal from general user environments. 9. Maintain up-to-date backups and incident response plans in case of data compromise. 10. Monitor threat intelligence feeds for any emerging exploits targeting this vulnerability.