Skip to main content

IBM API Connect CVE-2026-3144

| EUVDEUVD-2026-42304 CRITICAL
Use of Default Credentials (CWE-1392)
2026-07-08 ibm GHSA-m242-fcx4-2h8f
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Default credentials are publicly known so authentication is effectively bypassed (PR:N); network-reachable with no user interaction and low complexity, yielding total compromise (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 10, 2026 - 17:14 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 17:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 17:07 NVD
HIGH CRITICAL
CVSS changed
Jul 10, 2026 - 17:07 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Jul 08, 2026 - 16:21 vuln.today

DescriptionNVD

IBM API Connect 12.1.0.0 through 12.1.0.3 uses default credentials which could allow an attacker to gain unauthorized access to the application before the system enforces a credential update.

AnalysisAI

Authentication bypass via default credentials in IBM API Connect 12.1.0.0 through 12.1.0.3 lets remote unauthenticated attackers log in with vendor-shipped default credentials during the window before the system forces a credential change on first use. Rated CVSS 9.8 with total confidentiality, integrity, and availability impact, the flaw grants full access to the API management platform. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed API Connect management interface
Delivery
Submit known default credentials
Exploit
Authenticate before credential update enforced
Execution
Gain full administrative access
Impact
Control APIs, secrets, and gateway config

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target IBM API Connect instance (versions 12.1.0.0 through 12.1.0.3) is still using its shipped default credentials - that is, the attacker must reach the instance during the window after deployment and before the system enforces the mandatory credential update, and the management/login interface must be network-reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the network-exposed management interface of a freshly deployed IBM API Connect 12.1.x instance authenticates using the product's documented default credentials before the operator completes the enforced credential update. With that access the attacker gains full control over API definitions, secrets, and gateway configuration. …
Remediation Apply the vendor-released patch available per IBM's advisory at https://www.ibm.com/support/pages/node/7278909 and upgrade beyond the affected range to a fixed release (the EUVD range indicates 12.1.0.3 as the boundary; confirm the exact fixed build in the IBM advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Identify and inventory all IBM API Connect 12.1.0.0-12.1.0.3 deployments; restrict network access to administrative interfaces to authorized networks only; isolate any freshly deployed instances pending hardening. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4202 CRITICAL
10.0 Apr 15

IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal is vulnerable to command injection. Rated critical severity (CVSS 1

CVE-2018-1789 CRITICAL
9.9 Sep 07

IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a ser

CVE-2018-1712 CRITICAL
9.9 Aug 16

IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. Rated critical

CVE-2026-9074 CRITICAL
9.8 Jul 08

Unauthenticated SQL injection in IBM API Connect's password reset functionality allows remote attackers to inject arbitr

CVE-2021-29772 CRITICAL
9.8 Aug 26

IBM API Connect 5.0.0.0 through 5.0.8.11 could allow a user to potentially inject code due to unsanitized user input. Ra

CVE-2019-4203 CRITICAL
9.8 Apr 15

IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited by app developers to download arbitrary files from

CVE-2019-4155 CRITICAL
9.8 Apr 08

IBM API Connect's Developer Portal 2018.1 and 2018.4.1.3 is impacted by a privilege escalation vulnerability when integr

CVE-2019-4008 CRITICAL
9.8 Feb 07

API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Rated critical severity (CVSS 9.8), this vulner

CVE-2018-1784 CRITICAL
9.8 Dec 20

IBM API Connect 5.0.0.0 and 5.0.8.4 is affected by a NoSQL Injection in MongoDB connector for the LoopBack framework. Ra

CVE-2018-1469 CRITICAL
9.8 Apr 04

IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow an unauthenticated attacker to execute system comma

CVE-2021-29715 CRITICAL
9.1 Aug 26

IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of

CVE-2023-28522 HIGH
8.8 May 12

IBM API Connect V10 could allow an authenticated user to perform actions that they should not have access to. Rated high

Share

CVE-2026-3144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy