Skip to main content

IBM Engineering Lifecycle Management CVE-2026-3660

| EUVDEUVD-2026-31954 CRITICAL
Incorrect Authorization (CWE-863)
2026-05-26 ibm GHSA-cxh9-m8x4-52q5
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 08:30 vuln.today

DescriptionCVE.org

IBM Engineering Lifecycle Management 7.0.3 ( through ) Interim Fix 021, 7.1.0 ( through ) Interim Fix 009, and 7.2.0 ( through ) Interim Fix 001 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.

AnalysisAI

Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote attackers to modify server property files and gain unauthorized access to the application. The flaw carries a critical CVSS 9.8 score with full confidentiality, integrity, and availability impact, and IBM has released Interim Fixes addressing it. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 10th percentile).

Technical ContextAI

IBM Engineering Lifecycle Management is an enterprise suite for application lifecycle management used across requirements, design, quality, and configuration management workflows (covered by cpe:2.3:a:ibm:engineering_lifecycle_management). The root cause is CWE-863 (Incorrect Authorization), meaning the application performs an authorization check but applies the wrong logic or fails to enforce restrictions on a privileged action. In this case, the server exposes a code path that allows modification of property files - configuration data that the server trusts at runtime - without first validating that the caller is authenticated or authorized, effectively turning a configuration management primitive into an authentication bypass.

RemediationAI

Apply the IBM-released Interim Fixes documented at https://www.ibm.com/support/pages/node/7274079 - specifically upgrade beyond Interim Fix 021 for 7.0.3, beyond Interim Fix 009 for 7.1.0, and beyond Interim Fix 001 for 7.2.0 (Patch available per vendor advisory). Until the fix is applied, restrict network access to ELM server endpoints to trusted management networks or VPN-only reachability via firewall or reverse-proxy ACLs, which neutralizes the AV:N attack vector at the cost of breaking remote integrations and external client tooling. Additionally, monitor for unexpected writes to server property files on ELM hosts and review property-file integrity against a known-good baseline; this is a detection-only control and will not block exploitation, but it provides high-fidelity evidence of an attempt.

CVE-2023-40958 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2023-40957 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2023-40955 HIGH POC
8.8 Sep 15

A SQL injection vulnerability in Didotech srl Engineering & Lifecycle Management (aka pdm) v.14.0, v.15.0 and v.16.0 fix

CVE-2026-4051 HIGH
7.2 May 26

Remote code execution in IBM Engineering Lifecycle Management (ELM) versions 7.0.3 through Interim Fix 021, 7.1.0 throug

CVE-2026-3603 HIGH
7.1 May 26

XML External Entity (XXE) injection in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows authent

CVE-2021-20502 HIGH
7.1 Mar 30

IBM Jazz Foundation Products are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. R

CVE-2021-20371 MEDIUM
6.5 Jun 02

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to obtain sensitive information when an e

CVE-2025-36033 MEDIUM
5.4 Feb 03

Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).

CVE-2021-29670 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4

CVE-2021-29668 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4

CVE-2021-20348 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve

CVE-2021-20347 MEDIUM
5.4 Jun 02

IBM Jazz Foundation and IBM Engineering products are vulnerable to server-side request forgery (SSRF). Rated medium seve

Share

CVE-2026-3660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy