Skip to main content

IBM Db2 Genius Hub EUVDEUVD-2026-45305

| CVE-2026-14501 MEDIUM
Use of Potentially Dangerous Function (CWE-676)
2026-07-17 psirt@us.ibm.com GHSA-2wgw-pqw5-5j5p
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
7.6 HIGH

Description confirms RCE and info disclosure; raised C to L and I to H; A:L for process disruption risk from code execution.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 20:35 vuln.today

DescriptionNVD

IBM Db2 Genius Hub 1.1, 1.1.1, 1.1.2 and IBM Agentics 1.0 could allow an attacker to execute arbitrary code or obtain sensitive information due to the use of dangerous functions without sufficient restrictions.

AnalysisAI

Dangerous function use without sufficient restriction in IBM Db2 Genius Hub (versions 1.1, 1.1.1, 1.1.2) and IBM Agentics 1.0 exposes network-accessible endpoints to arbitrary code execution and sensitive information disclosure by low-privileged authenticated attackers. The vulnerability stems from CWE-676 - the use of inherently dangerous functions (such as eval, exec, or system-level calls) without adequate input validation or sandboxing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege credentials for platform
Delivery
Identify vulnerable API or agentic endpoint
Exploit
Send crafted input to dangerous function
Execution
Trigger unsanitized code or command execution
Impact
Access sensitive data or execute arbitrary commands

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at least a low-privilege authenticated session with IBM Db2 Genius Hub or IBM Agentics (CVSS PR:L) - unauthenticated access is not sufficient per the provided vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N presents a significant internal conflict with the vulnerability description: the description explicitly states arbitrary code execution and sensitive information disclosure are possible, yet the CVSS assigns C:N (no confidentiality impact) and I:L (low integrity impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged authenticated user - such as a standard platform user or API consumer - sends a crafted network request to IBM Db2 Genius Hub that reaches an insufficiently restricted dangerous function (e.g., a dynamic code evaluation or shell execution primitive). The attacker supplies malicious input that the function executes without proper sanitization, resulting in arbitrary command execution in the application's process context or exfiltration of sensitive data accessible to that process. …
Remediation Consult the IBM advisory at https://www.ibm.com/support/pages/node/7279901 for official patching guidance - no exact fixed version was independently confirmed from the available data, so the advisory should be treated as the authoritative source. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy