Description
IBM MQ Operator SC2: v3.2.0 through 3.2.23CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user.
Published: 2026-05-27
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM MQ Operator and the supplied MQ Advanced container images contain a flaw where logs can include sensitive information. A local user who has access to the container or the host can read these log files and obtain confidential data. The vulnerability, classified as CWE-532 Information Exposure Through Log Files, allows information disclosure but does not provide remote code execution or denial of service capabilities.

Affected Systems

Affected configurations include IBM MQ Operator versions v3.2.0 through v3.9.1 (both SC2 and CD releases) as well as IBM supplied MQ Advanced container images from 9.4.0.6 up to 9.4.5.0-r2 for the SC2 line and up to 9.4.5.1-r1 for the CD line. The vendor recommends updating to IBM MQ Operator v3.9.2 CD with MQ Advanced 9.4.5.1-r1, IBM MQ Operator v3.2.24 SC2 with MQ Advanced 9.4.0.21-r1, or the standalone MQ Container 9.4.5.1-r1 container image.

Risk and Exploitability

The CVSS score is 5.1, indicating a moderate impact. EPSS information is unavailable and the vulnerability is not listed in CISA KEV. The likely attack vector is local access to the container or host environment where log files are stored; an attacker would need to read the logs, making exploitation easier if sufficient permissions exist. Because it requires local access and does not expose remote execution, the risk profile remains moderate, but early patching is recommended to prevent accidental data leakage.

Generated by OpenCVE AI on May 27, 2026 at 15:24 UTC.

Remediation

Vendor Solution

Issues mentioned by this security bulletin are addressed in - * IBM MQ Operator v3.9.2 CD release that included IBM supplied MQ Advanced 9.4.5.1-r1 container image.  * IBM MQ Operator v3.2.24 SC2 release that included IBM supplied MQ Advanced 9.4.0.21-r1 container image. * IBM MQ Container 9.4.5.0-r2 release. IBM strongly recommends applying the latest container images.  IBM MQ Operator v3.9.2 CD release details: Image Fix Version Registry Image Location ibm-mq-operator v3.9.2 icr.io icr.io/cpopen/ibm-mq-operator@sha256:a62c6c91c4d0acccc8231e8639ecb5da9a49ba8475a2c38655446a2fc22e0fcf ibm-mqadvanced-server 9.4.5.1-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:7b69ef7c554ced9825b450209c304669626082282b9f5eb021b051acea49a1a0 ibm-mqadvanced-server-integration 9.4.5.1-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:b7cc492502f9a8072a47e794697094f8f3607ab745814befd881389a088d8045 ibm-mqadvanced-server-dev 9.4.5.1-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:28cd7e9dc413eced83b21e02cd3683966f19ef22867bbc7ca8c1ed19d062f986 IBM MQ Operator v3.2.24 SC2 release details: Image Fix Version Registry Image Location ibm-mq-operator v3.2.24 icr.io icr.io/cpopen/ibm-mq-operator@sha256:9b99e07fe04f690be7f0c8b60d15b32c72b9964e3043a818eb1339a8ad8b1f3f ibm-mqadvanced-server 9.4.0.21-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:3782667654290147084436f31e21e7890aecb1c86dc0a8906e9eda966123b0fd ibm-mqadvanced-server-integration 9.4.0.21-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:647a2562789ddbd2bcba20c74a3309c349105f0b32357366a22b02c7666d70be ibm-mqadvanced-server-dev 9.4.0.21-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:be50e5e2de4faa4cbeab504e5439a5a1c01a6fe7bfbffc5de0091f1a0457efca IBM MQ Container 9.4.5.1-r1 release details: Image Fix Version Registry Image Location ibm-mqadvanced-server 9.4.5.1-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:7b69ef7c554ced9825b450209c304669626082282b9f5eb021b051acea49a1a0 ibm-mqadvanced-server-dev 9.4.5.1-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:28cd7e9dc413eced83b21e02cd3683966f19ef22867bbc7ca8c1ed19d062f986

OpenCVE Recommended Actions

  • Upgrade the IBM MQ Operator to v3.9.2 CD or v3.2.24 SC2 releases that include the latest MQ Advanced container images (e.g., 9.4.5.1‑r1 or 9.4.0.21‑r1).
  • Replace existing MQ Advanced container images with the patched versions (9.4.5.1‑r1 for CD or 9.4.0.21‑r1 for SC2) and redeploy the operator.
  • Configure log file permissions to restrict access only to authorized users and enable regular log rotation to limit the amount of exposed information.

Generated by OpenCVE AI on May 27, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM MQ Operator SC2: v3.2.0 through 3.2.23CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user.
Title Multiple vulnerabilities in IBM MQ Operator and Queue manager container images
First Time appeared Ibm
Ibm mq Operator
Ibm supplied Mq Advanced Container Images
Weaknesses CWE-532
CPEs cpe:2.3:a:ibm:mq_operator:3.2.23:cd:*:*:*:*:*:*:*
cpe:2.3:a:ibm:mq_operator:sc2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:supplied_mq_advanced_container_images:r1:*:*:*:*:*:*:*
cpe:2.3:a:ibm:supplied_mq_advanced_container_images:sc2:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm mq Operator
Ibm supplied Mq Advanced Container Images
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Mq Operator Supplied Mq Advanced Container Images
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T12:20:42.199Z

Reserved: 2026-02-16T22:18:10.093Z

Link: CVE-2026-2607

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:44.517

Modified: 2026-05-27T14:53:51.833

Link: CVE-2026-2607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:45:32Z

Weaknesses