Severity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 s vulnerable to privilege escalation caused by an invalid IBM i Web Administration GUI authorization check. A malicious actor could cause user-controlled code to run with administrator privilege.
AnalysisAI
IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.
Technical ContextAI
IBM i is a server operating system that includes a web-based administration console. The vulnerability stems from CWE-284 (Improper Access Control / Permissions, Privileges, and Other Access Controls), specifically a failure to properly validate authorization decisions within the Web Administration GUI. This occurs at the web application layer rather than the OS kernel, allowing an already-privileged administrator to escalate or misuse their access through the GUI interface. The affected CPE (cpe:2.3:a:ibm:i:*:*:*:*:*:*:*:*) indicates all instances of the IBM i product family across versions 7.2 through 7.6 are in scope.
RemediationAI
Vendor-released patch is available from IBM; apply the security update referenced at https://www.ibm.com/support/pages/node/7269560 to all affected IBM i systems (versions 7.2-7.6). No specific fix version number is provided in available public disclosures, so consult the IBM advisory directly to identify the patched release level for your current version. If immediate patching is not feasible, implement compensating controls: (1) restrict access to the Web Administration GUI to a minimal set of trusted administrators, either by network firewall rules (block TCP access to the GUI port except from administrative subnets) or by disabling the GUI service if not operationally required and using alternative administration methods; (2) enable comprehensive audit logging for all administrative GUI actions and monitor for anomalous privilege escalation events; (3) require multi-factor authentication for administrative GUI sessions if supported by your IBM i configuration. Each of these controls has trade-offs: network restrictions may impede remote administration workflows, disabling the GUI reduces administrative flexibility, and audit logging generates additional log storage requirements but provides detection capability.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26440