Description
IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who can authenticate to IBM UCD to receive API responses that contain configuration data and secrets. Exposing such sensitive information is a direct data disclosure flaw that could be used by a malicious actor to launch further attacks against the system.

Affected Systems

IBM DevOps Deploy versions 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0, as well as IBM UrbanCode Deploy versions 7.3 through 7.3.2.18 contain the affected API endpoints.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so public exploitation data is lacking. Attackers would need valid credentials to access the API, limiting the attack to authenticated users, but once the sensitive data is disclosed, it can be leveraged for privilege escalation or targeted attacks. The overall risk is medium, but patching is advised.

Generated by OpenCVE AI on June 30, 2026 at 21:25 UTC.

Remediation

Vendor Solution

IBM strongly suggests the following: Upgrade affected versions to any of 7.3.2.19 https://www.ibm.com/support/fixcentral/swg/downloadFixes , 8.0.1.14 https://www.ibm.com/support/fixcentral/swg/downloadFixes , 8.1.2.7 https://www.ibm.com/support/fixcentral/swg/downloadFixes , 8.2.2.0 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later


OpenCVE Recommended Actions

  • Upgrade IBM DevOps Deploy to 8.0.1.14 or later and IBM UrbanCode Deploy to 7.3.2.19 or later, following the IBM provided fix links.
  • Reconfigure the system so that API responses omit sensitive configuration and secret fields whenever possible.
  • Ensure that only users with the least privileges required for their tasks have access to API endpoints that return configuration data, and regularly audit role‑based access controls.

Generated by OpenCVE AI on June 30, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
Title IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability
First Time appeared Ibm
Ibm ucd Ibm Devops Deploy
Ibm ucd Ibm Urbancode Deploy
Weaknesses CWE-201
CPEs cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.13:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.18:*:*:*:*:*:*:*
cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm ucd Ibm Devops Deploy
Ibm ucd Ibm Urbancode Deploy
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Ibm Ucd Ibm Devops Deploy Ucd Ibm Urbancode Deploy
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:38:19.293Z

Reserved: 2026-06-12T13:20:09.092Z

Link: CVE-2026-12085

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data