CVE-2026-3676 - Vulnerability Details

- There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

Description

IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.

Published: 2026-05-27

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from improper neutralization of special elements in the data query logic within the Fenced environment of IBM Db2 for Linux, UNIX, and Windows. An attacker who has authenticated access can exploit this flaw to trigger a denial of service, disrupting normal database operations. The weakness corresponds to CWE‑1284, a flaw that allows a legitimate user to cause service interruption.

Affected Systems

Affected by IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4, which include IBM Db2 for Linux, UNIX and Windows (DB2 Connect Server). The vulnerability is present in the 8.1.4 release of these APM components and requires the underlying DB2 V11.5 server to be patched. No other versions are listed as affected in the available data.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate impact. The EPSS score is not available, so current exploitation probability is unknown, and it is not listed in the CISA KEV catalog. The defect requires authenticated access, so an attacker would need valid credentials on the system. Once authenticated, the user can send specially crafted queries that trigger the denial of service. Because the flaw cannot be exploited by unauthenticated users, the attack surface is narrower, but once inside, an attacker can cripple database availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Cloud APM, Base Private

affected

Version	Status	Constraints
`8.1.4`	affected	≤ ) Interim Fix 021

IBM

Cloud APM, Advanced Private

affected

Version	Status	Constraints
`8.1.4`	affected	—

No data.

No data available yet.

Remediation

Vendor Solution

The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins: Security Bulletin: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&fixids=8.1.4.0-IBM-APM-SERVER-IF0019&source=SAR&function=fixId&parent=IBM%20Performance%20Management%20family

OpenCVE Recommended Actions

Apply the IBM security fixes for DB2 V11.5 referenced in the security bulletins and install the corresponding patches on the affected servers.
Update IBM Cloud APM components to the latest 8.1.4 release that includes the applied DB2 fixes.
Restart all database and APM services after patching to ensure the changes take effect.

Generated by OpenCVE AI on May 27, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.ibm.com/support/pages/node/7273649

History

Wed, 27 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.
Title		There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.
First Time appeared		Ibm Ibm cloud Apm Advanced Private Ibm cloud Apm Base Private
Weaknesses		CWE-1284
CPEs		cpe:2.3:a:ibm:cloud_apm_advanced_private:8.1.4:::::::* cpe:2.3:a:ibm:cloud_apm_base_private:8.1.4:::::::*
Vendors & Products		Ibm Ibm cloud Apm Advanced Private Ibm cloud Apm Base Private
References		https://www.ibm.com/support/pages/node/7273649
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Ibm Cloud Apm Advanced Private Cloud Apm Base Private

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-27T12:48:42.947Z

Updated: 2026-05-27T14:38:08.383Z

Reserved: 2026-03-06T21:17:59.734Z

Link: CVE-2026-3676

Vulnrichment

Updated: 2026-05-27T14:37:34.558Z

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:47.123

Modified: 2026-05-27T14:53:51.833

Link: CVE-2026-3676

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T15:45:37Z

Weaknesses

CWE-1284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object