Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized access to sensitive application data and administrative functionalities due to lack of proper access controls.
AnalysisAI
IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain an improper access control vulnerability (CWE-200) that allows authenticated users to access sensitive application data and administrative functionalities beyond their authorization level. An attacker with valid credentials can leverage this flaw to read confidential planning and analytics data, escalate privileges, or access administrative functions without proper authorization. A vendor patch is available, and this represents a moderate-to-high risk for organizations running affected versions in production environments.
Technical ContextAI
IBM Planning Analytics Local is a business intelligence and planning platform that manages sensitive financial and operational data. The vulnerability stems from insufficient access control mechanisms within the application, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The affected product is identified via CPE string cpe:2.3:a:ibm:planning_analytics_local:*:*:*:*:*:*:*:*, which encompasses all versions 2.1.0 through 2.1.17. The root cause involves the application failing to properly enforce role-based access controls (RBAC) or attribute-based access controls (ABAC) when users attempt to access data repositories, administrative consoles, or system configuration endpoints. This allows privilege escalation even without exploiting authentication mechanisms—the user is authenticated but can bypass authorization checks through direct API calls, parameter manipulation, or by exploiting missing endpoint-level permission validation.
RemediationAI
Upgrade IBM Planning Analytics Local to the patched version provided by IBM (version 2.1.18 or later, as indicated by the affected range 2.1.0-2.1.17). Consult the IBM support advisory at https://www.ibm.com/support/pages/node/7263581 for specific patch filenames and installation procedures applicable to your deployment platform. Until patching is completed, enforce network-level access controls by restricting Planning Analytics Local administrative interfaces and data APIs to trusted IP ranges only, implement IP whitelisting for all user connections, enforce multi-factor authentication for all user accounts to reduce the risk of credential compromise, and conduct an access log audit to identify any unauthorized data access within your environment. Additionally, enable detailed audit logging on the application to track which users accessed which data objects, and review user role assignments to ensure the principle of least privilege is enforced.
More in Planning Analytics Local
View allIBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. Rated critical severity (CVSS 9.1), this vulnerab
IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decr
IBM Planning Analytics Local 2.0 and 2.1 could allow a privileged user to delete files from directories due to improper
IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated u
IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerabi
IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerabi
IBM Planning Analytics 2.0.0 through 2.0.4 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this
IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain a cache poisoning vulnerability (CWE-524) where attac
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticat
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 5.4),
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this v
IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this v
Same weakness CWE-200 – Information Exposure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12643