Description
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
Published: 2026-06-30
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM UrbanCode Deploy (UCD) implements Cross-Origin Resource Sharing (CORS) without restricting to trusted domains, allowing an attacker to perform privileged actions and retrieve confidential information. This vulnerability is a classic example of improper domain verification in CORS requests (CWE-942). An attacker could configure a malicious website to issue requests to UCD that the browser will forward, thereby bypassing intended security controls and potentially gaining unauthorized administrative access or leaking sensitive data.

Affected Systems

IBM DevOps Deploy (UCD) versions 8.1 through 8.1.2.6 and 8.2 through 8.2.1.0 are affected. These include the standard builds of IBM UCD in the 8.1 and 8.2 series, and all intermediary patch releases up to the specified versions.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. With no EPSS score available and KEV not listed, there are no publicly confirmed exploit campaigns at this time, but the permissive CORS policy offers a clear attack vector: host a malicious web page that sends privileged requests to the UCD instance. Successful exploitation would allow an attacker to perform actions normally restricted to authenticated users and to read sensitive configuration data. The risk level is moderate, but an organization should consider the potential impact of unauthorized data exposure and take timely action.

Generated by OpenCVE AI on June 30, 2026 at 21:25 UTC.

Remediation

Vendor Solution

IBM strongly suggests the following: Upgrade affected versions to any of 8.1.2.7 https://www.ibm.com/support/fixcentral/swg/downloadFixes , 8.2.2.0 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later


OpenCVE Recommended Actions

  • Upgrade to IBM UCD version 8.1.2.7, 8.2.2.0, or later as per IBM’s fix central download links
  • If upgrading is not immediately possible, modify the UCD configuration to explicitly restrict CORS to trusted origins only, removing the permissive wildcard
  • After applying a fix or configuration change, monitor UCD logs for abnormal cross-origin requests and enforce strict access controls

Generated by OpenCVE AI on June 30, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
Title IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains
First Time appeared Ibm
Ibm ucd Ibm Devops Deploy
Weaknesses CWE-942
CPEs cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm ucd Ibm Devops Deploy
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}


Subscriptions

Ibm Ucd Ibm Devops Deploy
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:39:24.786Z

Reserved: 2026-06-12T13:08:26.053Z

Link: CVE-2026-12084

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-942

    Permissive Cross-domain Security Policy with Untrusted Domains