Full Report
IBM security advisory (AV26-639)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in IBM Enterprise Portfolio (AV26-639)
## CVE Details
*Note: This specific advisory (AV26-639) is a consolidated bulletin. While specific CVE IDs for each product are listed in the individual linked IBM advisories, the bulletin covers a range of vulnerabilities including critical flaws.*
- **CVE ID:** Various (Refer to individual product advisories via IBM PSIRT)
- **CVSS Score:** Up to 10.0 (Severity: Critical)
- **CWE:** Varies by product (includes Input Validation, Authentication Bypass, and Dependency-related weaknesses)
## Affected Systems
- **Products & Versions:**
- **IBM Cloud Pak System:** 2.3.5.0
- **IBM Observability with Instana (Agent):** Build 1.0.303 to 1.0.319
- **IBM Db2 Big SQL (Cloud Pak for Data / Software Hub):** Version 5.0 and others
- **IBM Engineering Suite (Workflow Management, DOORS Next, Test Management):** 7.0.3, 7.1, 7.2
- **Global Configuration Management / Jazz Foundation:** 7.0.3, 7.1, 7.2
- **Langflow OSS:** 1.0.0 to 1.10.0
- **IBM InfoSphere Information Server:** 11.7.0.0 to 11.7.1.6
- **IBM Operator for PostgreSQL:** v28.3.0 to v28.3.2
- **IBM Storage Protect Plus (Server, vSnap, File Systems, Guest Apps):** 10.1.0 to 10.1.18
- **IBM Storage Defender Copy Data Management:** 2.2.0.0 to 2.3.0.1
- **WatsonX (Orchestrate Developer Edition & BI):** Various versions up to 5.3
- **WebSphere Service Registry and Repository:** 8.5
- **Configurations:** Impacts standalone and containerized deployments (Cloud Pak/Software Hub).
## Vulnerability Description
This advisory summarizes a collection of security updates released between June 22 and June 28, 2026. The technical flaws range from remote code execution (RCE) in management agents and storage components to privilege escalation within the IBM Engineering and Jazz Foundation frameworks. Several products (like Langflow OSS and WatsonX) were patched for vulnerabilities in their underlying AI orchestration layers.
## Exploitation
- **Status:** Vulnerabilities are currently being addressed; no broad "in the wild" exploitation confirmed for all, but PoCs typically emerge rapidly for IBM Cloud Pak components.
- **Complexity:** Low to Medium (depending on the specific product)
- **Attack Vector:** Network (most critical updates address remotely exploitable flaws)
## Impact
- **Confidentiality:** High (Potential data exfiltration from Db2 and InfoSphere)
- **Integrity:** High (Modification of configuration management and engineering workflows)
- **Availability:** High (Potential for Denial of Service in Storage Protect Plus and Cloud Pak systems)
## Remediation
### Patches
IBM recommends upgrading to the following minimum versions or applying specific interim fixes:
- **Cloud Pak System:** Apply latest 2.3.5.x patches.
- **Instana Agent:** Upgrade to Build 1.0.320 or higher.
- **Engineering Suite/Jazz:** Upgrade to 7.0.3 iFix, 7.1 iFix, or 7.2 iFix as specified in the product bulletin.
- **Storage Protect Plus:** Upgrade to version 10.1.19 or higher.
- **InfoSphere:** Apply 11.7.1.x Service Pack/Rollup.
### Workarounds
- Implement strict Network Access Control Lists (ACLs) to limit access to management ports.
- Disable unused services in WebSphere and InfoSphere to reduce attack surface.
- For Langflow OSS, ensure instances are not exposed to the public internet without an authentication proxy.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative login attempts, unexpected outbound traffic from Storage Protect Plus agents, and unauthorized changes in Jazz Foundation configurations.
- **Detection methods and tools:** Use vulnerability scanners updated with the latest June 2026 definitions. Monitor IBM PSIRT feeds for specific file hashes or YARA rules related to individual CVEs.
## References
- IBM Product Security Incident Response: [hxxps://www[.]ibm[.]com/support/pages/bulletin/]
- Canadian Centre for Cyber Security Advisory: [hxxps://www[.]cyber[.]gc[.]ca/en/alerts-advisories/ibm-security-advisory-av26-639]