Skip to main content

IBM i CVE-2026-2311

| EUVDEUVD-2026-26440 MEDIUM
Improper Access Control (CWE-284)
2026-04-30 ibm
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 22:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 22:00 euvd
EUVD-2026-26440
Analysis Generated
Apr 30, 2026 - 22:00 vuln.today
Patch released
Apr 30, 2026 - 22:00 nvd
Patch available
CVE Published
Apr 30, 2026 - 21:45 nvd
MEDIUM 6.4

DescriptionCVE.org

IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 s vulnerable to privilege escalation caused by an invalid IBM i Web Administration GUI authorization check.  A malicious actor could cause user-controlled code to run with administrator privilege.

AnalysisAI

IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.

Technical ContextAI

IBM i is a server operating system that includes a web-based administration console. The vulnerability stems from CWE-284 (Improper Access Control / Permissions, Privileges, and Other Access Controls), specifically a failure to properly validate authorization decisions within the Web Administration GUI. This occurs at the web application layer rather than the OS kernel, allowing an already-privileged administrator to escalate or misuse their access through the GUI interface. The affected CPE (cpe:2.3:a:ibm:i:*:*:*:*:*:*:*:*) indicates all instances of the IBM i product family across versions 7.2 through 7.6 are in scope.

RemediationAI

Vendor-released patch is available from IBM; apply the security update referenced at https://www.ibm.com/support/pages/node/7269560 to all affected IBM i systems (versions 7.2-7.6). No specific fix version number is provided in available public disclosures, so consult the IBM advisory directly to identify the patched release level for your current version. If immediate patching is not feasible, implement compensating controls: (1) restrict access to the Web Administration GUI to a minimal set of trusted administrators, either by network firewall rules (block TCP access to the GUI port except from administrative subnets) or by disabling the GUI service if not operationally required and using alternative administration methods; (2) enable comprehensive audit logging for all administrative GUI actions and monitor for anomalous privilege escalation events; (3) require multi-factor authentication for administrative GUI sessions if supported by your IBM i configuration. Each of these controls has trade-offs: network restrictions may impede remote administration workflows, disabling the GUI reduces administrative flexibility, and audit logging generates additional log storage requirements but provides detection capability.

Share

CVE-2026-2311 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy