IBM MQ versions 9.1.0.0 through 9.4.4.1 are affected by an authority validation flaw (CWE-305) that can allow a malicious actor to bypass normal authorization checks. By exploiting this vulnerability, an attacker could gain unauthorized access to MQ resources or operations, potentially leading to data exfiltration or disruption of messaging services.

The vulnerability impacts IBM MQ releases under the LTS track (9.1 LTS, 9.2 LTS, 9.3 LTS, 9.4 LTS) and the continuous delivery releases (9.3 CD, 9.4 CD). The affected versions range from 9.1.0.0 to 9.1.0.33, 9.2.0.0 to 9.2.0.40, 9.3.0.0 to 9.3.0.36, 9.30.0 to 9.3.5.1 CD, 9.4.0.0 to 9.4.0.17 LTS, and 9.4.0.0 to 9.4.4.1 CD.

The CVSS score of 5.5 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to either compromise an authorized MQ client or gain network access to the MQ server to trigger the flaw. Once exploit conditions are met, the attacker can elevate authority within the MQ environment, potentially affecting the confidentiality, integrity, and availability of queued data.