Description
IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.
Published: 2026-03-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information disclosure
Action: Patch Now
AI Analysis

Impact

A missing function level access control flaw in IBM Concert Software versions 1.0.0 through 2.2.0 permits a local user with sufficient login rights to read confidential data stored by the application. The vulnerability is a disclosure of sensitive information that could allow an attacker to compromise data confidentiality even though it does not provide code execution or denial of service capabilities.

Affected Systems

IBM Concert Software, versions 1.0.0, 2.2.0, and any intermediate releases that have not applied the 2.3.1 patch, are susceptible to this flaw. The issue exists prior to the 2.3.1 release that fixes the access control checks.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity; the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the KEV catalog and does not provide remote access, limiting the attack to users who already have local login. A attacker must have local credentials to exploit the flaw and the path to obtain sensitive data is straightforward once this access is achieved.

Generated by OpenCVE AI on March 26, 2026 at 19:37 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow  installation instructions https://www.ibm.com/docs/en/concert  depending on the type of deployment.

OpenCVE Recommended Actions

  • Identify any IBM Concert installations running versions 1.0.0 through 2.2.0
  • Plan an upgrade to IBM Concert Software 2.3.1 following IBM’s installation guidance
  • Validate the upgrade in a test environment before production deployment
  • Verify that access controls prevent unauthorized data reads after upgrade
  • Document the change and update security inventory to reflect the patched state

Generated by OpenCVE AI on March 26, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control.
Title Multiple Vulnerabilities in IBM Concert Software
First Time appeared Ibm
Ibm concert
Weaknesses CWE-522
CPEs cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm concert
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ibm Concert
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T17:51:17.142Z

Reserved: 2025-04-15T21:17:04.946Z

Link: CVE-2025-36440

cve-icon Vulnrichment

Updated: 2026-03-26T17:49:30.675Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:25.463

Modified: 2026-03-26T17:52:14.437

Link: CVE-2025-36440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:39Z

Weaknesses