Skip to main content

IBM API Connect CVE-2026-9074

| EUVDEUVD-2026-42307 CRITICAL
SQL Injection (CWE-89)
2026-07-08 ibm GHSA-hw2j-c5q4-7m9c
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated, network-reachable password reset endpoint with low-complexity SQL injection yields PR:N/AC:L/AV:N; SQLi over the credential store gives full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 10, 2026 - 17:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 17:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 17:07 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 17:07 NVD
9.1 (CRITICAL) 9.8 (CRITICAL)
Analysis Generated
Jul 08, 2026 - 16:25 vuln.today

DescriptionNVD

IBM API Connect 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3 contains an unauthenticated SQL injection vulnerability in the password reset functionality.

AnalysisAI

Unauthenticated SQL injection in IBM API Connect's password reset functionality allows remote attackers to inject arbitrary SQL against the backing database without credentials, affecting versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3. With a CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and total technical impact, exploitation can lead to full compromise of confidentiality, integrity, and availability of the API management data store. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach API Connect reset endpoint
Delivery
Submit crafted reset request
Exploit
Inject SQL via input field
Execution
Manipulate credential-store query
Persist
Extract or alter account data
Impact
Achieve account takeover / data compromise

Vulnerability AssessmentAI

Exploitation The specific prerequisite is that the target must expose IBM API Connect's password reset functionality (the account self-service/credential reset endpoint) reachable over the network; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, no user interaction, and no special non-default configuration are required beyond the reset feature being enabled and network-accessible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are partly divergent and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote, unauthenticated attacker sends a crafted request to the API Connect password reset endpoint with malicious SQL embedded in an input field (such as the username or email parameter). Because the input is not sanitized before being used in a SQL query, the attacker extracts or modifies data in the credential store - for example dumping account records or altering reset tokens - potentially escalating to account takeover or full data compromise. …
Remediation Patch available per vendor advisory: apply the fixes referenced in IBM's support bulletins at https://www.ibm.com/support/pages/node/7278909 and https://www.ibm.com/support/pages/node/7278218, upgrading beyond the affected 10.0.8.x and 12.1.0.0-12.1.0.3 ranges to the IBM-designated fixed level (confirm the exact target build in those advisories, as an explicit fixed version string was not provided in the input). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify and document all systems running IBM API Connect 10.0.8.0-10.0.8.9 or 12.1.0.0-12.1.0.3; restrict network access to affected instances from untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-4202 CRITICAL
10.0 Apr 15

IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal is vulnerable to command injection. Rated critical severity (CVSS 1

CVE-2018-1789 CRITICAL
9.9 Sep 07

IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to send a specially crafted request to conduct a ser

CVE-2018-1712 CRITICAL
9.9 Aug 16

IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. Rated critical

CVE-2026-3144 CRITICAL
9.8 Jul 08

Authentication bypass via default credentials in IBM API Connect 12.1.0.0 through 12.1.0.3 lets remote unauthenticated a

CVE-2021-29772 CRITICAL
9.8 Aug 26

IBM API Connect 5.0.0.0 through 5.0.8.11 could allow a user to potentially inject code due to unsanitized user input. Ra

CVE-2019-4203 CRITICAL
9.8 Apr 15

IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited by app developers to download arbitrary files from

CVE-2019-4155 CRITICAL
9.8 Apr 08

IBM API Connect's Developer Portal 2018.1 and 2018.4.1.3 is impacted by a privilege escalation vulnerability when integr

CVE-2019-4008 CRITICAL
9.8 Feb 07

API Connect V2018.1 through 2018.4.1.1 is impacted by access token leak. Rated critical severity (CVSS 9.8), this vulner

CVE-2018-1784 CRITICAL
9.8 Dec 20

IBM API Connect 5.0.0.0 and 5.0.8.4 is affected by a NoSQL Injection in MongoDB connector for the LoopBack framework. Ra

CVE-2018-1469 CRITICAL
9.8 Apr 04

IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow an unauthenticated attacker to execute system comma

CVE-2021-29715 CRITICAL
9.1 Aug 26

IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of

CVE-2023-28522 HIGH
8.8 May 12

IBM API Connect V10 could allow an authenticated user to perform actions that they should not have access to. Rated high

Share

CVE-2026-9074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy