Skip to main content

Planning Analytics Local EUVDEUVD-2026-12643

| CVE-2026-1267 MEDIUM
Information Exposure (CWE-200)
2026-03-17 ibm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 17, 2026 - 22:08 euvd
EUVD-2026-12643
Analysis Generated
Mar 17, 2026 - 22:08 vuln.today
Patch released
Mar 17, 2026 - 22:08 nvd
Patch available
CVE Published
Mar 17, 2026 - 21:50 nvd
MEDIUM 6.5

DescriptionCVE.org

IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized access to sensitive application data and administrative functionalities due to lack of proper access controls.

AnalysisAI

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain an improper access control vulnerability (CWE-200) that allows authenticated users to access sensitive application data and administrative functionalities beyond their authorization level. An attacker with valid credentials can leverage this flaw to read confidential planning and analytics data, escalate privileges, or access administrative functions without proper authorization. A vendor patch is available, and this represents a moderate-to-high risk for organizations running affected versions in production environments.

Technical ContextAI

IBM Planning Analytics Local is a business intelligence and planning platform that manages sensitive financial and operational data. The vulnerability stems from insufficient access control mechanisms within the application, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The affected product is identified via CPE string cpe:2.3:a:ibm:planning_analytics_local:*:*:*:*:*:*:*:*, which encompasses all versions 2.1.0 through 2.1.17. The root cause involves the application failing to properly enforce role-based access controls (RBAC) or attribute-based access controls (ABAC) when users attempt to access data repositories, administrative consoles, or system configuration endpoints. This allows privilege escalation even without exploiting authentication mechanisms—the user is authenticated but can bypass authorization checks through direct API calls, parameter manipulation, or by exploiting missing endpoint-level permission validation.

RemediationAI

Upgrade IBM Planning Analytics Local to the patched version provided by IBM (version 2.1.18 or later, as indicated by the affected range 2.1.0-2.1.17). Consult the IBM support advisory at https://www.ibm.com/support/pages/node/7263581 for specific patch filenames and installation procedures applicable to your deployment platform. Until patching is completed, enforce network-level access controls by restricting Planning Analytics Local administrative interfaces and data APIs to trusted IP ranges only, implement IP whitelisting for all user connections, enforce multi-factor authentication for all user accounts to reduce the risk of credential compromise, and conduct an access log audit to identify any unauthorized data access within your environment. Additionally, enable detailed audit logging on the application to track which users accessed which data objects, and review user role assignments to ensure the principle of least privilege is enforced.

CVE-2024-35143 CRITICAL
9.1 Aug 04

IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. Rated critical severity (CVSS 9.1), this vulnerab

CVE-2020-4367 HIGH
7.5 Jun 02

IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decr

CVE-2025-33004 MEDIUM
6.5 Jun 01

IBM Planning Analytics Local 2.0 and 2.1 could allow a privileged user to delete files from directories due to improper

CVE-2025-33005 MEDIUM
6.3 Jun 01

IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated u

CVE-2020-4503 MEDIUM
6.1 Jun 02

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerabi

CVE-2020-4366 MEDIUM
6.1 Jun 02

IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerabi

CVE-2018-1676 MEDIUM
6.1 Jul 06

IBM Planning Analytics 2.0.0 through 2.0.4 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this

CVE-2025-14806 MEDIUM
5.7 Mar 17

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain a cache poisoning vulnerability (CWE-524) where attac

CVE-2025-25044 MEDIUM
5.4 Jun 01

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticat

CVE-2024-31908 MEDIUM
5.4 May 31

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 5.4),

CVE-2024-31907 MEDIUM
5.4 May 31

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this v

CVE-2024-31889 MEDIUM
5.4 May 31

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this v

Share

EUVD-2026-12643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy