Description
IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.
Published: 2026-03-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized privileged actions
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows a user with privileged access to perform unauthorized actions in IBM Concert Software versions 1.0.0 through 2.2.0 because channel communication is not properly restricted to intended endpoints. The flaw effectively lets an attacker bypass intended endpoint controls, increasing the risk of data modification, configuration changes, and other privileged actions that could affect the integrity of the system.

Affected Systems

IBM Concert Software versions 1.0.0 to 2.2.0 are susceptible. These include the initial release 1.0.0 and all subsequent releases up to 2.2.0. The affected product is IBM Concert, a container‑oriented orchestration platform provided by IBM.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of widespread exploit. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would require a user who already has privileged status within the system and can communicate over the affected channels; the flaw does not appear to be exploitable remotely or without existing access.

Generated by OpenCVE AI on March 26, 2026 at 19:23 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow  installation instructions https://www.ibm.com/docs/en/concert  depending on the type of deployment.

OpenCVE Recommended Actions

  • Upgrade IBM Concert Software to version 2.3.1 or later as this release contains the fix for the vulnerability.
  • Verify that no older versions (1.0.0 – 2.2.0) remain in use or accessible within your environment.

Generated by OpenCVE AI on March 26, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description IBM Concert 1.0.0 through 2.2.0 could allow a privileged user to perform unauthorized actions due to improper restriction of channel communication to intended endpoints.
Title Multiple Vulnerabilities in IBM Concert Software
First Time appeared Ibm
Ibm concert
Weaknesses CWE-923
CPEs cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm concert
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Ibm Concert
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T15:25:09.536Z

Reserved: 2025-04-15T21:17:03.969Z

Link: CVE-2025-36438

cve-icon Vulnrichment

Updated: 2026-03-26T15:25:06.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:25.283

Modified: 2026-03-26T18:10:38.680

Link: CVE-2025-36438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:40Z

Weaknesses