Description
An authenticated iControl SOAP user may be able to obtain information of other accounts. 

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the iControl SOAP interface of F5 BIG‑IP and allows an attacker who has authenticated credentials to read personal information of other accounts on the same system, potentially exposing sensitive data. The flaw is a classic example of broken authentication and authorization (CWE‑266).

Affected Systems

F5 Networks BIG‑IP appliances are affected; the exact product versions are not specified in the advisory, although only supported releases that have not reached End of Technical Support are evaluated.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high impact severity. The attack requires valid credentials but permits cross‑account data access, which could be leveraged for further privilege escalation or information gathering. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, but it should still be mitigated promptly due to its authentication bypass nature.

Generated by OpenCVE AI on May 13, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest F5 BIG‑IP firmware patch that addresses the iControl SOAP authentication flaw.
  • Restrict iControl SOAP access to trusted administrators and disable unused API endpoints.
  • Configure role‑based access control to limit account data visibility to authorized personnel.
  • Apply network segmentation and secure firewall rules to isolate management interfaces from production traffic.

Generated by OpenCVE AI on May 13, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
Vendors & Products F5
F5 big-ip

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An authenticated iControl SOAP user may be able to obtain information of other accounts.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title iControl SOAP vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:13:30.427Z

Reserved: 2026-04-30T23:02:47.700Z

Link: CVE-2026-35062

cve-icon Vulnrichment

Updated: 2026-05-13T16:13:25.363Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:40.400

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-35062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:00:05Z

Weaknesses