Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user.
Published: 2026-05-26
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are affected on Linux, UNIX, and Windows platforms. The vulnerability occurs when the database engine processes specific testcase buckets and writes potentially sensitive information, including credentials, to diagnostic log files. This allows a local user with access to the log files to read the exposed strings, leading to credential theft and potential gain of higher privileges.

Affected Systems

Affected vendors and products include IBM Db2 for both enterprise and connect server releases. The impacted product range extends from Db2 11.5.0 to 11.5.9 and from Db2 12.1.0 to 12.1.4, covering all supported operating systems listed in the CVE entry.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, primarily because the flaw requires local access; there is no evidence of remote exploitation. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Given that only a local user who can read the diagnostic logs is needed, the risk is elevated for systems with permissive log file permissions or where privileged logs are accessible to ordinary users. The impact centers on confidentiality loss of credentials stored in the logs.

Generated by OpenCVE AI on May 26, 2026 at 18:29 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

Set the diaglevel to 2, 1 or 0

OpenCVE Recommended Actions

  • Apply the interim fix special build V11.5.9 for an affected level of Db2 11.5 or the interim fix special build V12.1.4 for an affected level of Db2 12.1 available from IBM Fix Central.
  • If the patch cannot be applied immediately, configure the diagnostic level by setting diaglevel to 0, 1, or 2 to prevent sensitive data from being logged while executing testcase buckets.
  • Review existing log files for exposed credentials and remove or secure any sensitive entries discovered before applying the fix.

Generated by OpenCVE AI on May 26, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user.
Title IBM® Db2® is vulnerable to credential exposure in db2diag when executing specific testcase buckets
First Time appeared Ibm
Ibm db2
Weaknesses CWE-532
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Db2
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T17:51:09.240Z

Reserved: 2025-11-26T19:41:29.841Z

Link: CVE-2025-13755

cve-icon Vulnrichment

Updated: 2026-05-26T17:50:51.275Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T17:16:27.810

Modified: 2026-05-26T19:06:14.330

Link: CVE-2025-13755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T18:30:12Z

Weaknesses