Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM MQ Operator SC2: v3.2.0 through 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user.
AnalysisAI
Sensitive information disclosure in IBM MQ Operator and IBM-supplied MQ Advanced container images exposes potentially sensitive data written to log files, readable by local users on the host or container system. Affected versions span three release tracks (LTS, CD, SC2) across both the MQ Operator (v2.0.0 through v3.9.1) and a broad range of container image releases from 9.3.x through 9.4.x. The CVSS score of 5.1 with a local attack vector and high complexity rating confines exploitation to users with existing local or container runtime access, and no public exploit has been identified at time of analysis.
Technical ContextAI
CWE-532 (Insertion of Sensitive Information into Log File) describes the root cause: IBM MQ writes data - potentially including credentials, connection strings, tokens, or configuration parameters - to log files without adequately sanitizing or masking sensitive fields. IBM MQ Operator is a Kubernetes/OpenShift operator that manages IBM MQ queue manager deployments in containerized environments; the IBM-supplied MQ Advanced container images are the runtime containers managed by this operator. In such environments, log data may be surfaced through multiple channels: raw log files on the container filesystem, container stdout/stderr captured by the runtime, and Kubernetes log APIs (kubectl logs). Each channel has distinct access controls, and misconfigurations or overly permissive RBAC policies in OpenShift/Kubernetes clusters can widen the exposure surface beyond what a traditional on-premises log file vulnerability would imply.
RemediationAI
Consult IBM Security Advisory at https://www.ibm.com/support/pages/node/7273145 for the specific patched operator and container image versions - the exact fix versions are not independently confirmed from the available data and must be verified directly against the advisory before upgrading. Apply the vendor-released patch by updating the IBM MQ Operator to the remediated release for your track (LTS, CD, or SC2) and pulling updated container images from the IBM registry. As compensating controls until patching is complete: restrict filesystem permissions on IBM MQ log directories so that only the MQ service account and authorized administrators can read log files, reducing the blast radius of opportunistic access. In OpenShift/Kubernetes environments, audit and tighten RBAC policies to remove kubectl logs access for non-administrative users on MQ namespaces - note that this may limit developer troubleshooting capability and should be coordinated with operations teams. Where log aggregation pipelines (e.g., Fluentd, Elasticsearch) collect MQ container logs, ensure those pipelines apply log scrubbing or field-level masking for known sensitive patterns. Reducing MQ log verbosity to a minimum operational level is an additional mitigation but may impair incident investigation; document this trade-off before applying.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32271
GHSA-7q7x-j3xv-rpmp