Skip to main content

IBM UrbanCode Deploy EUVDEUVD-2026-40390

| CVE-2026-12086 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-06-30 psirt@us.ibm.com GHSA-54jp-jq2r-6hfw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.2 MEDIUM

Local vector confirmed by description; PR:N reflects world-readable log files; C:H for potentially high-value secrets; no integrity or availability impact.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
CVSS changed
Jul 02, 2026 - 18:37 NVD
6.2 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jun 30, 2026 - 20:38 vuln.today

DescriptionNVD

IBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user.

AnalysisAI

Sensitive information disclosure in IBM UrbanCode Deploy and IBM DevOps Deploy exposes potentially sensitive data to any local user who can read application log files. Affected are UrbanCode Deploy 7.2 through 7.2.3.23 and 7.3 through 7.3.2.18, as well as DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local shell on UCD/DevOps Deploy host
Delivery
Locate application log directory
Exploit
Read world-accessible log files
Execution
Extract embedded credentials or tokens
Impact
Authenticate to downstream deployment targets

Vulnerability AssessmentAI

Exploitation Exploitation requires local OS-level access to the host running IBM UrbanCode Deploy or IBM DevOps Deploy server or agent components. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.2 (Medium) is driven by a local attack vector, low complexity, no required privileges, no user interaction, and high confidentiality impact with no integrity or availability impact - vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privilege shell account on a host running IBM UrbanCode Deploy or DevOps Deploy - whether through credential theft, lateral movement from another compromised system, or insider access - navigates to the application log directory and reads log files to extract embedded credentials, API tokens, or deployment secrets logged during pipeline execution. No exploit tooling is required; standard OS file-read commands are sufficient. …
Remediation Apply the vendor-released fix by upgrading to the patched version identified in the IBM support advisory at https://www.ibm.com/support/pages/node/7277576. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-22358 HIGH
8.8 Apr 12

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM

CVE-2026-12084 HIGH
7.5 Jun 30

Sensitive information disclosure and unauthorized privileged actions in IBM DevOps Deploy (formerly UrbanCode Deploy/UCD

CVE-2024-55904 HIGH
7.2 Feb 14

IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 / IBM UrbanCode Deploy 7.0 through 7.0.5.25, 7.1 through 7.1.

CVE-2026-12085 MEDIUM
6.5 Jun 30

Sensitive configuration and secret disclosure in IBM UrbanCode Deploy (7.3-7.3.2.18) and IBM DevOps Deploy (8.0-8.2.1.0)

CVE-2024-56469 MEDIUM
6.3 Mar 27

IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.22, 7.2 through 7.2.3.15, and 7.3 through 7.3.2.10 / IBM DevOps Deploy 8.0

CVE-2024-22359 MEDIUM
6.1 Apr 12

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM

CVE-2025-1998 MEDIUM
5.5 Mar 27

IBM UrbanCode Deploy (UCD) through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / IBM DevOps Deploy 8.0 throu

CVE-2024-22331 MEDIUM
5.5 Feb 06

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.19, 7.1 through 7.1.2.15, 7.2 through 7.2.3.8, 7.3 through 7.3.2.3, and IBM

CVE-2025-1997 MEDIUM
5.4 Mar 27

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / I

CVE-2024-28781 MEDIUM
5.4 May 14

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4, and 8.0

CVE-2024-22334 MEDIUM
4.4 Apr 12

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM

CVE-2024-54176 MEDIUM
4.3 Feb 08

IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 and IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.25, 7.1 thro

Share

EUVD-2026-40390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy