Skip to main content

IBM MQ Operator EUVDEUVD-2026-32271

| CVE-2026-2607 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-27 psirt@us.ibm.com GHSA-7q7x-j3xv-rpmp
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:35 vuln.today

DescriptionCVE.org

IBM MQ Operator SC2: v3.2.0 through 3.2.23CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user.

AnalysisAI

Sensitive information disclosure in IBM MQ Operator and IBM-supplied MQ Advanced container images exposes potentially sensitive data written to log files, readable by local users on the host or container system. Affected versions span three release tracks (LTS, CD, SC2) across both the MQ Operator (v2.0.0 through v3.9.1) and a broad range of container image releases from 9.3.x through 9.4.x. The CVSS score of 5.1 with a local attack vector and high complexity rating confines exploitation to users with existing local or container runtime access, and no public exploit has been identified at time of analysis.

Technical ContextAI

CWE-532 (Insertion of Sensitive Information into Log File) describes the root cause: IBM MQ writes data - potentially including credentials, connection strings, tokens, or configuration parameters - to log files without adequately sanitizing or masking sensitive fields. IBM MQ Operator is a Kubernetes/OpenShift operator that manages IBM MQ queue manager deployments in containerized environments; the IBM-supplied MQ Advanced container images are the runtime containers managed by this operator. In such environments, log data may be surfaced through multiple channels: raw log files on the container filesystem, container stdout/stderr captured by the runtime, and Kubernetes log APIs (kubectl logs). Each channel has distinct access controls, and misconfigurations or overly permissive RBAC policies in OpenShift/Kubernetes clusters can widen the exposure surface beyond what a traditional on-premises log file vulnerability would imply.

RemediationAI

Consult IBM Security Advisory at https://www.ibm.com/support/pages/node/7273145 for the specific patched operator and container image versions - the exact fix versions are not independently confirmed from the available data and must be verified directly against the advisory before upgrading. Apply the vendor-released patch by updating the IBM MQ Operator to the remediated release for your track (LTS, CD, or SC2) and pulling updated container images from the IBM registry. As compensating controls until patching is complete: restrict filesystem permissions on IBM MQ log directories so that only the MQ service account and authorized administrators can read log files, reducing the blast radius of opportunistic access. In OpenShift/Kubernetes environments, audit and tighten RBAC policies to remove kubectl logs access for non-administrative users on MQ namespaces - note that this may limit developer troubleshooting capability and should be coordinated with operations teams. Where log aggregation pipelines (e.g., Fluentd, Elasticsearch) collect MQ container logs, ensure those pipelines apply log scrubbing or field-level masking for known sensitive patterns. Reducing MQ log verbosity to a minimum operational level is an additional mitigation but may impair incident investigation; document this trade-off before applying.

Share

EUVD-2026-32271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy