Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (us) · only source for this CVE.
CVSS VectorVendor: us
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1
AnalysisAI
Improper privilege management in IBM Guardium Key Lifecycle Manager versions 4.1 through 5.1 allows remote unauthenticated attackers to achieve limited confidentiality and integrity compromise through a network attack requiring high complexity. The vulnerability stems from inadequate access control enforcement that permits elevation of privileges without authentication, affecting a widely deployed enterprise key management solution.
Technical ContextAI
IBM Guardium Key Lifecycle Manager is an enterprise solution for managing cryptographic key lifecycles across hybrid cloud environments. The vulnerability is rooted in CWE-269 (Improper Access Control), indicating that the application fails to properly enforce authorization checks on sensitive operations. The network-accessible attack vector (AV:N) combined with high complexity (AC:H) suggests the exploit requires specific conditions or manipulation of the system state that are not trivially achievable, though the mechanism does not require prior authentication (PR:N). The affected product handles sensitive key material, making even limited confidentiality and integrity impact significant in cryptographic contexts.
RemediationAI
Apply the latest IBM Guardium Key Lifecycle Manager patch version that addresses CVE-2026-1726; users should consult the IBM security advisory at https://www.ibm.com/support/pages/node/7268697 for specific fix version numbers for their current release track. Until patching is possible, implement network segmentation to restrict unauthenticated access to Guardium Key Lifecycle Manager administrative interfaces, ensuring only authorized systems can communicate with the product on affected network ports. Disable unnecessary administrative features or interfaces if not required for operational key lifecycle management. Monitor authentication logs and failed access attempts for suspicious patterns indicative of exploitation attempts. Given the high complexity requirement (AC:H), the vulnerability may be difficult to exploit in production environments, allowing time for planned patching cycles rather than emergency mitigation.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25127
GHSA-26px-prvq-fgpx