Skip to main content

IBM CVE-2026-0977

| EUVDEUVD-2026-12071 MEDIUM
Improper Access Control (CWE-284)
2026-03-13 ibm
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 14:08 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2026-12071
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 20:11 nvd
MEDIUM 5.1

DescriptionCVE.org

IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.

AnalysisAI

IBM CICS Transaction Gateway for Multiplatforms versions 9.3 and 10.1 contain an improper access control vulnerability (CWE-284) that allows local users to transfer or view files without authentication or authorization checks. An attacker with local system access can exploit this flaw to read sensitive data or modify files, resulting in confidentiality and integrity compromise with a CVSS base score of 5.1. This vulnerability affects a critical middleware component used in enterprise transaction processing environments.

Technical ContextAI

IBM CICS Transaction Gateway (CTG) is a middleware product that provides Java client connectivity to CICS transaction servers. The vulnerability stems from inadequate access control mechanisms in the file handling routines of CTG versions 9.3 and 10.1, classified under CWE-284 (Improper Access Control - Generic). The root cause is the failure to enforce proper authentication and authorization checks before allowing file operations, enabling any local process to interact with protected files managed by the CTG application. This affects the core authentication and file access logic within the gateway, which should restrict file operations to authenticated and authorized users only.

RemediationAI

Upgrade IBM CICS Transaction Gateway to a patched version released after the vulnerability disclosure. Organizations should immediately apply the latest security patches provided by IBM for both the 9.3 and 10.1 product lines. Until patches can be deployed, implement compensating controls by restricting local system access to the CTG installation directory and associated configuration files using operating system-level access controls (file permissions, ACLs), limiting which user accounts and processes can interact with the gateway. Additionally, enforce principle of least privilege for service accounts running CTG, disable unnecessary local shell access to systems hosting the gateway, and audit file access logs to detect any suspicious file transfer or viewing activity. Consult IBM's official security advisory at https://www.ibm.com/support/pages/security-bulletins for patch download links and compatibility guidance.

Share

CVE-2026-0977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy